Security vulnerabilities may be reported using the GitHub Vulnerability Reporting Tool. If you prefer email, you may also report security vulnerabilities to any of the maintainers' email addresses listed in the NOTICE.md file (ideally encrypted using PGP). DO NOT open a public GitHub issue for security vulnerabilities.

When reporting a security vulnerability, please provide instructions on how to reproduce the issue. Do not send reports that were generated with automated vulnerability scanning or AI tools without verifying that they are not false positives or without providing additional context.

Also, please ensure that reported security vulnerabilities pertain to libcoap-rs and/or libcoap-sys in particular, not to the libcoap C library or any libraries libcoap depends on. For instructions on reporting security vulnerabilities that pertain to libcoap, refer to its own security policy.

As libcoap-rs is not maintained by a for-profit entity, we do not offer any monetary compensation for vulnerability or bug reports, but your contributions are greatly appreciated.

Lastly, please note that as an open source project, libcoap-rs and libcoap-sys are provided "as is", i.e., without any warranty or guarantee of fitness for a particular purpose (see below).

We are very thankful to the following people for reporting security issues in the past:

• None yet.