Use the latest released crate version or the default branch. Security fixes are not backported to older versions unless noted in a release.
This crate is pre-1.0 and under active development, so API compatibility and security support are tied to the current release line.
Please report vulnerabilities privately using GitHub private vulnerability reporting:
https://github.com/acgetchell/la-stack/security/advisories/new
Do not open a public issue for suspected vulnerabilities.
Include:
- Affected crate version or commit.
- Enabled Cargo features, especially
exactif exact arithmetic is involved. - Steps to reproduce, ideally with a minimal Rust example or test.
- Expected and observed behavior.
- Security impact, such as a panic, denial of service, or incorrect result.
- Any relevant matrix, vector, or benchmark input shape, with sensitive data removed.
- A suggested fix or mitigation, if available.
For numerical correctness issues that are not security-sensitive, open a normal GitHub issue with a minimal reproduction.
- Reports are acknowledged as maintainer availability allows.
- The issue is triaged and its severity assessed on a best-effort basis.
- Accepted reports receive updates when there is meaningful progress or a material change in the assessment.
- For an accepted vulnerability, the project prepares a fix, publishes a GitHub Security Advisory, releases the fix, and requests a RustSec advisory when appropriate.
- If a report is declined, the reporter receives an explanation.
Please follow coordinated disclosure and avoid public disclosure until a fix or mitigation is available.
The crate uses #![forbid(unsafe_code)], which reduces memory-safety risk.
Security-relevant correctness and availability issues can still exist. In
scope are:
- Panics or crashes triggered by malformed or adversarial matrices or vectors.
- CPU or memory denial of service caused by crafted inputs, including inputs to optional exact-arithmetic paths.
- Incorrect numerical results that affect security, data integrity, or availability when processing untrusted input.
- Violations of documented exact-arithmetic guarantees, such as silent precision loss, when they have a security impact.
Out of scope are:
- Documented floating-point limitations, conditioning behavior, or rounding bounds that do not create a security impact.
- Performance limitations that are not exploitable as denial of service.
- Issues caused by use outside the documented API contracts or supported problem scope.
- Fixes are released on the latest supported release line. Older releases receive fixes only when explicitly noted.
- Releases are published to crates.io with corresponding GitHub releases.
- Accepted vulnerabilities are documented with GitHub Security Advisories and, when appropriate, RustSec advisories.
- Public technical detail may be limited until users have had a reasonable opportunity to update.
Applicable vulnerabilities may be disclosed through the
RustSec Advisory Database, enabling
detection with cargo audit.
Good-faith security research is welcome. Avoid privacy violations, data destruction, persistence, service disruption, and public disclosure before a fix or mitigation is available. Reports that follow coordinated disclosure and make a reasonable effort to avoid harm are treated as helpful contributions.
Responsible disclosure is appreciated. Reporters may be credited in advisories or release notes unless anonymity is requested.
This project uses GitHub CodeQL, Dependabot security updates, secret scanning
with push protection, cargo audit, zizmor, Clippy SARIF analysis, and
repository-owned Semgrep rules.