Wickra is pre-1.0. Security fixes are applied to the latest released 0.1.x version only; please upgrade to the newest release before reporting an issue.

Do not open a public issue for a security vulnerability.

Report it privately through one of:

• GitHub's private vulnerability reporting ("Report a vulnerability" under the repository's Security tab), or
• email to kingchencp@gmail.com with a subject line starting with [wickra security].

Please include:

• the affected version(s) and platform / language binding,
• a description of the issue and its impact,
• steps to reproduce, ideally a minimal proof of concept.

• An acknowledgement within 5 working days.
• An assessment and, if confirmed, a planned fix with a target release.
• Coordinated disclosure: we will agree on a disclosure date with you and credit you in the release notes unless you prefer to stay anonymous.

In scope: the published crates (wickra-core, wickra-data, wickra), the PyPI/npm packages, and the build/release workflows in .github/workflows/.

Out of scope: vulnerabilities in third-party dependencies (report those upstream; we track them via Dependabot and cargo-deny).