ferrocat is still pre-1.0, so security fixes are generally developed against the latest release on main and then shipped in the next published crate version.
At the moment, only the latest published release line is supported for security updates.
Please do not open a public GitHub issue for suspected security vulnerabilities.
Use GitHub's private security advisory flow for this repository instead:
If that flow is unavailable for you, open a private maintainer contact through GitHub and include:
- the affected crate and version
- a short impact summary
- reproduction steps or a minimal proof of concept
- any known mitigations or workarounds
You can expect an initial response within a few business days. We will try to acknowledge the report quickly, reproduce it, agree on disclosure timing, and publish a fix or mitigation guidance as soon as practical.