If you discover a security vulnerability within rok-utils, please follow these steps:

1. Do NOT open a public GitHub issue for the vulnerability.

2. Send an email to the maintainer with:

   • A description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact of the vulnerability
   • Any suggested fixes (optional)

3. Wait for acknowledgment from the maintainer (typically within 48 hours).

4. Once the vulnerability is confirmed and a fix is ready:

   • A security advisory will be created on GitHub
   • The fix will be released in a patch version
   • Credit will be given to the reporter (unless anonymity is requested)

When using rok-utils, consider these security best practices:

• Use secure_compare for timing-safe comparisons (e.g., API keys, tokens)
• Use hash_sha256 for password hashing (though for production, consider argon2 or bcrypt)
• Generate tokens with generate_token for cryptographic randomness

• Always validate user input before processing with string utilities
• Use RokError::ValidationFailure for structured validation errors

• Never expose internal error details to end users in production
• Log errors securely without leaking sensitive information

rok-utils keeps dependencies minimal and reviews them regularly:

• Heavy cryptographic dependencies (sha2, md-5, subtle) are feature-gated
• All dependencies are reviewed for security vulnerabilities
• We aim to use well-established, audited crates

We appreciate the security research community's efforts to make rok-utils safer for everyone.