If you discover a security vulnerability in librlp, please report it responsibly:

1. Do NOT open a public issue.
2. Email us at security@lambdaclass.com with:
   • A description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Suggested fix (if any)

We will acknowledge your report within 48 hours and aim to provide a fix within 7 days for critical issues.

This policy covers:

• The librlp and librlp-derive crates
• Encoding/decoding correctness (e.g., accepting invalid RLP, producing non-canonical output)
• Memory safety issues
• Denial of service via crafted input (e.g., excessive allocation)

• cargo-audit runs weekly and on every PR via CI
• cargo-deny checks license compliance on every PR
• Miri runs the full test suite to detect undefined behavior
• 7 fuzz targets run on every PR (smoke) and nightly (extended)
• Differential fuzzing against alloy-rlp and ethrex-rlp catches encode/decode divergences