If you discover a security issue in upb or upb-sys, please report it privately to Signeen Inc. Do not open a public GitHub issue.

Email: mehrdad@signeen.com
PGP: not yet published — request a key in plain text and one will be sent before any sensitive disclosure.

Please include:

• A clear description of the issue
• Steps to reproduce (or a minimal proof-of-concept)
• The crate version(s) affected (upb and/or upb-sys)
• The platform and toolchain you observed it on

We aim to acknowledge reports within 5 business days. Depending on severity and complexity, fixes typically land in 1-4 weeks.

In scope:

• Memory-safety bugs in the safe wrapper layer (upb)
• FFI lifetime or aliasing bugs in upb-sys
• Decoder crashes / panics on malformed wire input (we fuzz this; new findings always welcome)
• Information disclosure or escalation paths through the public API

Out of scope (forward upstream to https://github.com/protocolbuffers/protobuf):

• Bugs in upb itself (the vendored C). We will track the upstream fix and pull it into a new vendor pin.
• Bugs in cc-rs, bindgen, or other transitive build tooling

Stable release: only the latest 0.1.0 is supported. Stable releases follow Semantic Versioning; security fixes target the latest minor at minimum.

Once a fix is available we publish a coordinated advisory through GitHub Security Advisories, credit the reporter (unless anonymity is requested), and yank affected versions from crates.io if a backport isn't feasible.