This document describes how to report security vulnerabilities in the crates maintained in this repository.

Security fixes are provided for:

• The main branch.
• The latest released versions of crates published from this repository.

Older versions may not receive security backports. If you are using an older release, please plan to upgrade to a supported version to receive fixes.

Please do not report security issues via public GitHub issues, pull requests, Discord, or other public channels.

Instead, use GitHub's private vulnerability reporting:

1. Go to this repository's Security tab.
2. Click Report a vulnerability (or create a New draft security advisory).

Include as much of the following as you can:

• Affected crate(s) and version(s), and whether you are using crates.io releases or git revisions.
• Impact and severity assessment (what an attacker can do).
• Reproduction steps and a minimal proof-of-concept (request/response samples help a lot).
• Any relevant configuration (enabled features, TLS backend, proxy setup, etc).

If you're not sure whether something is a security issue, report it anyway and mark it as uncertain.

After receiving a report, maintainers will make a best effort to:

• Triage and assess impact, then work on a fix.
• Coordinate a release and publish an advisory when a fix is available.

Please keep vulnerability details confidential until an advisory is published (or maintainers confirm it is safe to disclose).