1
+ <PageHeader @title =' Security Information' />
2
+
3
+ <TextContent @boxed ={{ true }} >
4
+
5
+ <h2 id =' security' >Security of crates.io itself</h2 >
6
+
7
+ <p >Safety is one of the core principles of Rust, and to that end, we would like to ensure that cargo, crates.io, docs.rs, and
8
+ related tools have secure implementations. To disclose security vulnerabilities in
9
+ <a href =' https://github.com/rust-lang' >any repository in the rust-lang organization</a >, please follow the
10
+ <a href =' https://www.rust-lang.org/policies/security' >Rust Security policy</a >.</p >
11
+
12
+ <p >Thank you for taking the time to responsibly disclose any issues you find.</p >
13
+
14
+ <h2 id =' security' >Security of crates hosted on crates.io</h2 >
15
+
16
+ <p >To disclose security vulnerabilities found in a crate that is hosted on crates.io, seek guidance from the individual crate's
17
+ owners and their specific policies. Commonly, projects include a file named <code >SECURITY.md</code > that contains the
18
+ crate's security policies and procedures.</p >
19
+
20
+ <h2 id =' rustsec' >Rustsec Security Advisory Database for receiving security updates</h2 >
21
+
22
+ <p >The <a href =" https://rustsec.org/" >Rustsec Security Advisory Database</a > maintains advisories about vulnerabilities in
23
+ crates published on crates.io. Maintained by the <a href =" https://www.rust-lang.org/governance/wgs/wg-secure-code" >Secure
24
+ Code Working Group</a >, the information is available in a variety of forms to incorporate into your development practices.
25
+ See <a href =" https://rustsec.org/contributing.html" >their steps to submit a vulnerability to the database</a >.</p >
26
+
27
+ <h2 id =' security-help' >Ecosystem security help for crate authors</h2 >
28
+
29
+ <p >Security is a value important to the Rust ecosystem as a whole, not just to the Rust language. If you are a crate author and
30
+ you have received a high impact/severity security bug report for your crate, the Rust Foundation and the Rust Project are
31
+ available to help manage the situation. The Rust Project or the Rust Foundation may also be the ones reaching out to you, if
32
+ they have been informed of a security issue.</p >
33
+
34
+ <p >As part of its <a href =" https://foundation.rust-lang.org/tags/security%20initiative/" >Security Initiative</a >, the Rust
35
+ Foundation:</p >
36
+
37
+ <ul >
38
+ <li >Employs security engineers who can help assessing the problem, developing mitigations, and estimating impact.</li >
39
+ <li >Has a network of member organizations that can help with testing resources and also employ security experts who can help
40
+ with assessing and fixing issues.</li >
41
+ <li >Employs communications staff who can manage publishing notifications and fielding inquiries.</li >
42
+ <li >Has contacts with government agencies tasked with cybersecurity protections who may have information on exploitation or
43
+ impact of a security problem.</li >
44
+ </ul >
45
+
46
+ <p >The Rust Project can coordinate actions among other parts of the ecosystem that may need to be updated to address a fix.</p >
47
+
48
+ <
p >Please reach out to <
a href =" mailto:[email protected] " >
[email protected] </
a > if either the Rust Project or
49
+ the Rust Foundation can help you by providing security support in the areas listed above or in another way! These are just a
50
+ few examples of the kind of help available to crate authors facing security challenges.</p >
51
+
52
+ </TextContent >
0 commit comments