Only the latest released version is supported.

To report a vulnerability, please go to https://github.com/zip-rs/zip2/security/advisories/new. We'll attempt to:

• Close the report within 7 days if it's invalid, or if a fix has already been released but some old versions needed to be yanked.
• Provide progress reports at least every 7 days to the original reporter.
• Aim to provide a fix within 30 days of the initial report. If a complete fix is not feasible in that timeframe (for example, due to complexity or external dependencies), we will communicate this to the reporter, share any available mitigations or workarounds, and adjust the expected timeline accordingly.

A vulnerability that affects a published version will only be publicly disclosed once a version without the vulnerability has been published, which is not a prerelease unless all affected versions were prereleases, and the affected versions have been yanked. Once that's done, the delay before full public disclosure will be determined as follows:

• If the proof-of-concept is very simple, or an exploit is already in the wild (whether or not it specifically targets zip), all details will be made public right away.
• If the vulnerability is specific to zip and cannot easily be reverse-engineered from the code history, then the proof-of-concept and most of the details will be withheld for another 14 days.
• If a potential victim at credible risk requests more time to deploy a fix, then the withholding of details can be extended up to 30 days. This may be extended to 90 days for high-value government and nonprofit targets, when truly extraordinary circumstances are delaying the deployment.