Security fixes are applied to the latest released minor version on crates.io. Older minor versions are not patched; downstream consumers are expected to upgrade.
Report suspected security issues privately via GitHub Security Advisories:
https://github.com/mootable/decimal-scaled/security/advisories/new
If you cannot use GitHub Security Advisories, email the maintainer at
jackokmoxley@gmail.com with subject line decimal-scaled security
and a brief description; the maintainer will follow up to coordinate
a private channel.
Please include:
- A description of the vulnerability and its impact.
- Steps to reproduce, including a minimal reproducer if possible.
- The affected version(s).
You can expect an initial acknowledgement within 7 days. Coordinated disclosure timelines are agreed case by case once the report is triaged.
In scope:
- Memory-safety issues in the
decimal-scaledcrate. - Numerical correctness issues that could lead to a deterministic
exploit downstream (e.g., a wide-tier kernel returning a value
outside the documented
≤ 0.5 ULPcontract). - Build-time supply-chain issues in the published crate.
Out of scope:
- Performance regressions (use a regular GitHub issue).
- Documentation errors (use a regular GitHub issue).
- Issues in dependencies — please report those upstream and to
RustSec (
https://rustsec.org).