If you believe you have found a security vulnerability in ferrus, please do not report it in a public issue first.

Instead:

• contact the project maintainers privately if a private channel is available;
• provide a clear description of the issue, impact, and reproduction details;
• include any suggested mitigation if you have one;
• allow reasonable time for the issue to be investigated and fixed before public disclosure.

If this repository later adds a dedicated security email address or private advisory workflow, this document should be updated to point to it directly.

Useful reports usually contain:

• the affected version or commit;
• the environment and platform involved;
• steps to reproduce;
• the security impact;
• any proof of concept, logs, or patches that help validate the issue.

ferrus is still evolving quickly. In practice, security fixes are most likely to be applied to the latest development line first.

If you are reporting an issue against an older version, please include the exact version and whether the problem still reproduces on the current codebase.

The project will try to acknowledge valid reports, assess impact, and fix confirmed vulnerabilities in a reasonable timeframe. Exact response times are not guaranteed.

Please avoid public disclosure until maintainers have had a fair opportunity to investigate and respond.