catraca handles raw TCP connections and passes file descriptors between processes via SCM_RIGHTS. Issues in this surface can have meaningful blast radius. Thanks for helping keep the project safe.

Don't open public issues for vulnerabilities. Instead:

• Use GitHub Security Advisories (preferred — private by default), or
• Email contact@maracatu.org with:
  • A description of the issue
  • Steps to reproduce
  • Potential impact
  • Suggested mitigation, if any

We'll acknowledge receipt within 72 hours and work with you to understand and fix the problem. Once a fix is published, we can credit you in the release notes if you'd like.

In scope:

• Memory safety issues in src/ (Rust unsafe blocks, FFI with libc)
• File descriptor leaks or double-close
• Privilege escalation via the SCM_RIGHTS handoff
• Incorrect handling of malformed input that affects worker behavior
• Resource exhaustion (fd exhaustion, ring queue saturation)

Out of scope:

• Vulnerabilities in dependencies (libc, io-uring) — report to upstream first, but please tell us if catraca is affected
• Issues that require root or pre-existing access to the host
• DoS via well-formed traffic at expected rates (this is an L4 dispatcher; it does not implement rate limiting by design — that's the worker's job or a separate layer)

• Run catraca as a non-root user with the minimum capabilities required to listen on the configured port.
• Keep io_uring available to the process and confirm your seccomp profile permits the required syscalls.
• Constrain the listener port and bind address explicitly; the default 0.0.0.0 is convenient for development but you usually want a more specific bind in production.
• Audit your worker processes — catraca trusts whatever process owns the .ctrl UDS to receive file descriptors.
• Keep kernel and Rust toolchain updated.

Published advisories appear in GitHub Security Advisories.