Please report security vulnerabilities privately through GitHub's built-in Private Vulnerability Reporting:
- Go to the repository's Security tab.
- Click Report a vulnerability and fill out the advisory form.
If private reporting is unavailable for some reason, email security@santh.dev with:
- Affected version / commit SHA
- Reproduction steps and proof-of-concept (where safe to share)
- Impact assessment
You will receive an acknowledgement within 5 business days. Coordinated-disclosure timeline is up to 90 days from acknowledgement; we will notify you before the patch ships.
Only the main branch (and the latest published crate / package
release) receives security fixes. Vendored snapshots and forks are
responsible for backporting.
- Findings against archived branches or deprecated tags.
- Self-XSS or social-engineering attacks against maintainers.
- Reports that depend on a compromised upstream package without a reproducible downstream impact.
GHSA advisories are filed under the appropriate Santh GitHub organization. We coordinate CVE assignment via GitHub's CNA when a fix ships.