We take security seriously and appreciate responsible disclosure. Ferrex is currently maintained by a single maintainer (Grayson Hieb), so please allow for best‑effort response times.

• Please do not open public issues for security vulnerabilities.
• Prefer a private report to the maintainer:
  • If hosted on GitHub, use the repository’s “Report a vulnerability” (Security Advisories) feature, if available.
  • Otherwise, contact the maintainer directly via their GitHub profile. A dedicated security contact/alias may be published in the future.

We aim to acknowledge reports within 7 days and to provide a resolution or mitigation plan as quickly as practical, prioritizing severity and impact. If you do not receive an acknowledgement within 7 days, please send a gentle follow‑up.

This policy covers vulnerabilities in the Ferrex codebase and official distributions. Third‑party dependencies should be reported upstream when appropriate; we will coordinate if needed.

• Actively supported: main and the most recent stable release.
• Older releases: Best‑effort only. Please consider updating to the latest version.

Once a fix is available, we may coordinate a disclosure date with the reporter. We will provide credit to reporters unless they request otherwise.