Do not open a public GitHub issue for security reports. Use one of the channels below.

File a private advisory at https://github.com/ruvnet/midstream/security/advisories/new. This opens a private conversation with the maintainers, scoped to the issue, with built-in CVE coordination.

If you can't use GitHub Security Advisories, email security@ruv.net with:

• A description of the vulnerability and its impact.
• Reproduction steps (or a proof-of-concept).
• The affected crate name and version (or commit SHA).
• Your suggested fix, if any.

PGP-encrypted reports are accepted; key fingerprint will be published here once generated. For now, plain email is fine.

If we miss any of these targets, we will say so in docs/triage-log.md and the corresponding advisory thread. Misses are public; we don't hide them.

Per ADR-0024, each crate has a stability tier. Security backports are provided as follows:

All current crates are alpha or beta. The full table lives in the ADR.

• Memory safety bugs (use-after-free, out-of-bounds, data race) in first-party code.
• Cryptographic misuse (e.g. accepting invalid certificates by default — see ADR-0011).
• Authentication, authorization, or input-validation bypasses.
• Denial-of-service vectors that an attacker can trigger with bounded input (e.g. unbounded allocation from network input — ADR-0012/0015).
• Supply-chain issues we can act on (e.g. a banned/vulnerable transitive — ADR-0014 / deny.toml).

• Performance regressions in benchmark code.
• Bugs that require attacker-controlled local filesystem or unrestricted shell access to exploit.
• Issues in the vendored hyprstream-main/ directory while ADR-0002 is in flight — those should be reported upstream.

Once a patch is available we publish a GitHub Security Advisory, request a CVE, and yank affected versions from crates.io. The advisory credits the reporter unless they request anonymity.