Please report security issues privately — do not open a public issue for a vulnerability.

Use GitHub's private vulnerability reporting: Report a vulnerability (Security → Advisories → Report a vulnerability on the repository).

Include, as far as you can: the affected version, the platform (Windows / Linux / macOS), a description of the issue, and a minimal reproduction. You can expect an acknowledgement within a few days; a fix and coordinated disclosure follow once the issue is confirmed.

processkit manages process trees and touches privileged OS surfaces — Windows Job Objects, Linux cgroup v2, POSIX process groups, and on Unix it can drop privileges (uid/gid/supplementary groups/setsid). Bugs in these paths can have safety or isolation consequences (a leaked subprocess, an incomplete privilege drop, a containment escape), so they are treated as security issues, not just functional ones.

The crate is pre-1.0. Only the latest published version on crates.io receives security fixes; please reproduce on the latest release before reporting.