Security fixes are applied to the master branch and the latest stable release published on crates.io. Older releases are not actively maintained.

Please report security vulnerabilities through one of the following channels, in order of preference:

1. GitHub private vulnerability reporting. Use the Report a vulnerability button on the Security tab of the repository. This keeps the report private until a fix is ready.
2. Contact a maintainer directly. Reach out via email or via direct message on Discord, as described in CODE_OF_CONDUCT.md.

Please include as much detail as you can: a description of the issue, steps to reproduce, affected versions, and any suggested mitigations.

cpal is a volunteer project maintained entirely in private time and provided free of charge. We take security seriously and will investigate every report and respond as soon as possible, but we cannot commit to a specific response time or resolution deadline. We appreciate your patience and understanding.

Once a report is received you can generally expect:

• An acknowledgement that your report was received.
• An assessment of the impact and whether the report is accepted or declined, with reasoning.
• Coordination on a fix and disclosure timeline if the vulnerability is accepted.