To add an advisory to the RustSec database, open a Pull Request against this repository containing the new advisory:
- Create a file named
RUSTSEC-0000-0000.toml
in thecrates/<yourcratename>
subdirectory of this repository (you may need to create it if it doesn't exist) - Copy and paste the TOML advisory template from the README.md file in this repo. Delete the comments and additional whitespace, and fill it out with the details of the advisory.
- Open a Pull Request. After being reviewed your advisory will be assigned
a
RUSTSEC-*
advisory identifier and be published to the database.
Feel free to do either or both of these as you see fit (we recommend you do both):
- Yank the affected versions of the crate.
- Request a CVE for your vulnerability: https://iwantacve.org/
Alternatively, you can create a GitHub Security Advisory (GHSA) and let them request
a CVE for you. In this case, you can add the GHSA ID to the RustSec advisory via the
aliases
field.
RustSec is a database of security vulnerabilities. The following are examples of qualifying vulnerabilities:
- Code Execution (i.e. RCE)
- Memory Corruption
- Privilege Escalation (either at OS level or inside of an app/library)
- File Disclosure / Directory Traversal
- Web Security (e.g. XSS, CSRF)
- Format Injection, e.g. shell escaping, SQL injection (and also XSS)
- Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage)
- Covert Channels (e.g. Spectre, Meltdown)
- Panics in code advertised as "panic-free" (particularly if useful for network DoS attacks)
Moreover, RustSec also tracks soundness issues as informational advisories, independent of whether they are vulnerabilities or not. A soundness issue arises when using a crate from safe code can cause Undefined Behavior.
When in doubt, please open a PR.
Q: Do I need to be owner of a crate to file an advisory?
A: No, anyone can file an advisory against any crate. The legitimacy of vulnerabilities will be determined prior to merging. If a vulnerability turns out to be fake it will be removed from the database.
Q: Can I file an advisory without creating a pull request?
A: Yes, instead of creating a full advisory yourself you can also open an issue on the advisory-db repo or email information about the vulnerability to rustsec@googlegroups.com.
Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?
A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing them against RustSec.