Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of these methods:

1. GitHub Security Advisories: Use the Security Advisory feature
2. Email: Send details to matpiton@protonmail.com

Security-sensitive areas in this plugin:

• Crypto (src/crypto.rs): AES-128-CBC primitives. Bugs that allow plaintext recovery without the embedded key, or that cause buffer over-reads on malformed input, are in-scope.
• Format parsers (src/{dlc,ccf,rsdf,metalink}.rs): Malformed container blobs that trigger panics, infinite loops, or DoS-grade memory growth.
• Trust boundary: This plugin declares http = false. A change that re-enables outbound network calls without an explicit ADR + plugin.toml capability bump is a security regression.

• Type of vulnerability
• Steps to reproduce (a minimal container blob is ideal)
• Impact assessment
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix or mitigation: Depends on severity

We appreciate responsible disclosure and will credit reporters in the security advisory (unless you prefer to remain anonymous).