We actively support the following versions with security updates:

Security patches are released as patch versions (e.g., 0.24.19 → 0.24.20) for the actively supported version line.

We take security vulnerabilities seriously. If you discover a security issue in masterror, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email security reports to: andrey.rozanov.vl@gmail.com
3. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce or proof-of-concept
   • Affected versions (if known)
   • Potential impact assessment
   • Suggested fix (if available)

• Acknowledgment: Within 48 hours of report
• Initial assessment: Within 5 business days
• Fix development: Varies by severity (critical: <7 days, high: <14 days)
• Coordinated disclosure: After patch is released and users have time to update

1. Vulnerability confirmed and assessed
2. Fix developed in private repository
3. Patch released as new version
4. Security advisory published on GitHub
5. Disclosure made after users have time to update (typically 7-14 days)

When using masterror in production:

• Use latest stable version: Security fixes are not backported to old versions
• Enable Dependabot: Automatically detect vulnerable dependencies
• Run cargo-audit: Regularly check for known vulnerabilities

cargo install cargo-audit
cargo audit

• Never expose sensitive data in error messages without redaction
• Use redaction policies for PII (Personally Identifiable Information)

use masterror::{AppError, field, RedactionPolicy};

let err = AppError::internal("auth failed")
    .with_field(field::str_redacted(
        "user_email",
        email,
        RedactionPolicy::Hash
    ));

• Disable backtraces in production (avoids leaking internal paths)
• Limit metadata fields (avoid exposing internal state)
• Use message redaction for user-facing errors

[dependencies]
masterror = { version = "0.24", features = ["std", "axum"], default-features = false }

• Avoid exposing third-party error details to end users
• Log detailed errors internally, return sanitized errors to clients

match db.query().await {
    Ok(result) => Ok(result),
    Err(e) => {
        // Log full error internally
        tracing::error!("Database error: {:?}", e);

        // Return sanitized error to client
        Err(AppError::service("database unavailable"))
    }
}

• Verify crate signatures: Use cargo-vet for supply chain verification
• Review dependencies: Audit transitive dependencies periodically
• Pin versions: Use exact versions in Cargo.lock for reproducible builds

Error source chains may contain sensitive information from third-party libraries. Always review what is exposed to end users.

Metadata fields are serialized in responses. Ensure redaction policies are correctly applied before exposing errors via HTTP/gRPC.

Backtraces can reveal internal file paths and stack frames. Disable the backtrace feature in production or implement custom filtering.

Error handling paths should not reveal timing information that could be exploited (e.g., database existence checks via different error latencies). This is application-specific and not handled by masterror.

• Internal audit: Continuous review by maintainers
• cargo-audit: Automated dependency vulnerability scanning in CI
• cargo-deny: License and advisory checking in CI
• Community review: Open source code reviewed by users

masterror contains zero unsafe code, eliminating entire classes of memory safety vulnerabilities:

[lints.rust]
unsafe_code = "forbid"

All error types implement Send + Sync, ensuring safe concurrent usage without data races.

• Strongly typed error kinds (no string matching)
• Compile-time validation of transport mappings
• No type confusion between error categories

No security vulnerabilities have been reported to date.

Future disclosures will be listed here with:

• CVE identifier (if applicable)
• Affected versions
• Severity rating
• Mitigation steps
• Fixed in version

Primary contact: andrey.rozanov.vl@gmail.com

PGP key: Available on request for encrypted communication

• Rust Security Guidelines
• OWASP Error Handling Cheat Sheet
• Cargo Security Advisories