rand is a random-data generator for testing, mocking, and demos. Rand.password(), Rand.nonce(), Rand.secureCharCode(), and Rand.bytes() use dart:math.Random.secure() (the platform CSPRNG) and are safe in the cryptographic sense — the RNG choice is correct.

However, rand is not a credentials library. Treat its "secure" methods as building blocks for test fixtures and prototyping, not as a primary source of production secrets, password-generation policy, or key material. The package's stability contract is "test data" — defaults and character sets may shift in major versions. If a token or password your security depends on is being generated by rand in production, switch to package:cryptography or a platform key-management service.

• A method documented as "secure" silently falls back to a non-secure RNG.
• Rand.useRng / Rand.seed affects an output that documentation says it does not.
• Rand.password() produces predictable output from a non-secure source.
• Any input-validation gap that leads to a crash an attacker could trigger (rand is a library; this is unlikely but in-scope).

• "Your password generator is not OWASP-compliant" — by design, see above.
• "The default password length is too short" — open a regular issue, not a security advisory.

Only the latest minor release line receives security fixes.

Please do not open public GitHub issues for security reports.

Use GitHub's private vulnerability reporting instead. You should receive an acknowledgement within a few business days.

Include in your report:

• A description of the vulnerability and its impact.
• A minimal reproduction (Dart snippet or test case).
• The package version affected.
• Any proposed mitigations or fixes.

We aim to:

1. Acknowledge the report within 5 business days.
2. Provide an initial assessment within 14 days.
3. Coordinate a fix and release before public disclosure.