If you discover a security vulnerability in Ruchy, please report it responsibly:

1. DO NOT create a public GitHub issue
2. Email security concerns to: [email protected]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix Development: Depends on severity
• Disclosure: Coordinated with reporter

• All code passes cargo clippy -- -D warnings
• No unsafe blocks in transpiled output (see ADR-003)
• Property-based testing with 10,000+ cases
• Mutation testing coverage ≥ 75%

• Regular cargo audit checks
• Dependabot enabled for security updates
• Minimal dependency footprint

• Reproducible builds via flake.nix
• Locked dependencies in Cargo.lock
• CI/CD runs all security checks

• Input size limits prevent DoS
• Recursion depth limits prevent stack overflow

• No arbitrary code execution
• Generated Rust code is safe by design

• Model runs locally (no external API calls)
• No user data transmitted