Report security issues privately through GitHub's security advisory form. Security issues should not be reported via the public GitHub issue tracker.

Confirmed vulnerabilities are coordinated through the GitHub Security Advisory opened for the issue. Affected parties include the reporter, direct users of lora-packet, and maintainers of dependent crates where relevant.

Downstream maintainers can request inclusion in the coordination of a relevant advisory by commenting on the advisory thread. Participation is at the maintainers' discretion.

Security issues are disclosed through GitHub release notes and the RustSec advisory database (i.e. cargo audit).