# Security Policy
## Reporting a vulnerability
Report security issues privately via GitHub's [private security advisory form](https://github.com/reh3502/zipatch-rs/security/advisories/new) — do not open a public issue.
Include enough detail to reproduce: affected version, the patch file or a small generator, expected behavior, observed behavior. Initial response within a week.
## Supported versions
Only the latest minor release on crates.io receives security fixes. Older versions are not back-patched.
## Scope
`zipatch-rs` parses untrusted binary input (patch files). Memory-safety bugs, panics on hostile input, and arithmetic over/underflows that reach allocation, seek, or write paths are in scope. The crate forbids `unsafe` at the root, so unsoundness from this crate's own code is unexpected — but its parsers run on attacker-controllable bytes, so robustness against malformed input is the explicit goal.
The `fuzz/` subcrate is the standing harness for this surface; new fuzz targets accompanying a vulnerability report are appreciated.