rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
f27ebfd8d9e4c145a070081e85203fc66213f5da
advisory-db/contributing.html
github-actions 067addfc34 Update gh-pages
2025-10-27 16:49:06 +00:00

120 lines
11 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">
<meta name="author" content="Rust Project Developers">
<meta name="description" content="Security advisory database for Rust crates published through https://crates.io">
<title>Reporting Vulnerabilities RustSec Advisory Database</title>
<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,300italic,400italic" rel="stylesheet">
<link href="/css/basic.css" rel="stylesheet">
<link href="/css/highlight.css" rel="stylesheet">
<link href="/css/index.css" rel="stylesheet">
<script src="/js/index.js" defer></script>
<script src="/js/search.js" defer></script>
<header>
<div class="header-top">
<h1><a href="/"><img class="logo-image" src="/img/rustsec-logo.svg" /></a></h1>
<div class="search">
<form onsubmit="return searchform();">
<input type="search" id="search-term"
placeholder="Look up package or ID..." required
size="20">
</form>
</div>
</div>
<nav>
<div>
<a href="/">About</a>
<a href="/advisories/">Advisories</a>
<a href="/contributing.html">Report Vulnerabilities</a>
</div>
<div>
<a href="https://rust-lang.zulipchat.com/login/#narrow/stream/146229-wg-secure-code/" title="Zulip" aria-label="Zulip"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M473.09 122.97c0 22.69-10.19 42.85-25.72 55.08L296.61 312.69c-2.8 2.4-6.44-1.47-4.42-4.7l55.3-110.72c1.55-3.1-.46-6.91-3.64-6.91H129.36c-33.22 0-60.4-30.32-60.4-67.37 0-37.06 27.18-67.37 60.4-67.37h283.33c33.22-.02 60.4 30.3 60.4 67.35zM129.36 506.05h283.33c33.22 0 60.4-30.32 60.4-67.37 0-37.06-27.18-67.37-60.4-67.37H198.2c-3.18 0-5.19-3.81-3.64-6.91l55.3-110.72c2.02-3.23-1.62-7.1-4.42-4.7L94.68 383.6c-15.53 12.22-25.72 32.39-25.72 55.08 0 37.05 27.18 67.37 60.4 67.37zm522.5-124.15l124.78-179.6v-1.56H663.52v-48.98h190.09v34.21L731.55 363.24v1.56h124.01v48.98h-203.7V381.9zm338.98-230.14V302.6c0 45.09 17.1 68.03 47.43 68.03 31.1 0 48.2-21.77 48.2-68.03V151.76h59.09V298.7c0 80.86-40.82 119.34-109.24 119.34-66.09 0-104.96-36.54-104.96-120.12V151.76h59.48zm244.91 0h59.48v212.25h104.18v49.76h-163.66V151.76zm297 0v262.01h-59.48V151.76h59.48zm90.18 3.5c18.27-3.11 43.93-5.44 80.08-5.44 36.54 0 62.59 7 80.08 20.99 16.72 13.22 27.99 34.99 27.99 60.64 0 25.66-8.55 47.43-24.1 62.2-20.21 19.05-50.15 27.6-85.13 27.6-7.77 0-14.77-.39-20.21-1.17v93.69h-58.7V155.26zm58.7 118.96c5.05 1.17 11.27 1.55 19.83 1.55 31.49 0 50.92-15.94 50.92-42.76 0-24.1-16.72-38.49-46.26-38.49-12.05 0-20.21 1.17-24.49 2.33v77.37z"/></svg></a>
<a href="https://twitter.com/RustSec/" title="Twitter" aria-label="Twitter"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg></a>
<a href="https://github.com/RustSec/" title="GitHub" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512" style="height:1em;fill:currentColor"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg></a>
<a href="/feed.xml" title="Atom Feed" aria-label="Atom Feed"><svg xmlns="http://www.w3.org/2000/svg" style="height:1em" viewBox="0 0 8 8">
<style type="text/css">
.button {stroke: none; fill: currentColor;}
.symbol {stroke: none; fill-opacity: 0;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg></a>
</div>
</nav>
</header>
<main class="static-page">
<article>
<h1>Reporting Vulnerabilities</h1>
<p>To add an advisory to the RustSec database, open a <a href="https://github.com/RustSec/advisory-db/pulls">Pull Request</a> against
<a href="https://github.com/RustSec/advisory-db">this</a> repository containing the new advisory:</p>
<h3>Required Steps</h3>
<ol>
<li>Create a file named <code>RUSTSEC-0000-0000.md</code> in the <code>crates/&lt;yourcratename&gt;</code>
subdirectory of the repository (you may need to create it if it doesn't exist)</li>
<li>Copy and paste the <a href="https://github.com/RustSec/advisory-db#advisory-format">TOML advisory template</a> from the README.md file in this repo.
Delete the comments and additional whitespace, and fill it out with the
details of the advisory. Surround the TOML data with <!-- raw HTML omitted -->```toml<!-- raw HTML omitted --> and <!-- raw HTML omitted -->```<!-- raw HTML omitted --> markers.</li>
<li>Write a human-readable Markdown description in the same file, after the <!-- raw HTML omitted -->```<!-- raw HTML omitted --> marker and a newline. Use <a href="https://raw.githubusercontent.com/rustsec/advisory-db/main/EXAMPLE_ADVISORY.md">this example advisory</a> as a reference.</li>
<li>Open a <a href="https://github.com/RustSec/advisory-db/pulls">Pull Request</a>. After being reviewed your advisory will be assigned
a <code>RUSTSEC-*</code> advisory identifier and be published to the database.</li>
</ol>
<h3>Optional Steps</h3>
<p>Feel free to do either or both of these as you see fit (we recommend you do both):</p>
<ol start="4">
<li><a href="https://doc.rust-lang.org/cargo/commands/cargo-yank.html">Yank</a> the affected versions of the crate.</li>
<li>Request a CVE for your vulnerability. See for details:
https://cve.mitre.org/cve/request_id.html and https://cveform.mitre.org .
Alternatively, you can create a GitHub Security Advisory (GHSA) and let them request
a CVE for you. In this case, you can add the GHSA ID to the RustSec advisory via the
<code>aliases</code> field.</li>
</ol>
<h2>Criteria</h2>
<p>RustSec is a database of security vulnerabilities. The following are
examples of qualifying vulnerabilities:</p>
<ul>
<li>Code Execution (i.e. RCE)</li>
<li>Memory Corruption</li>
<li>Privilege Escalation (either at OS level or inside of an app/library)</li>
<li>File Disclosure / Directory Traversal</li>
<li>Web Security (e.g. XSS, CSRF)</li>
<li>Format Injection, e.g. shell escaping, SQL injection (and also XSS)</li>
<li>Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage)</li>
<li>Covert Channels (e.g. Spectre, Meltdown)</li>
<li>Panics in code advertised as &quot;panic-free&quot; (particularly if useful for network DoS attacks)</li>
</ul>
<p>Moreover, RustSec also tracks <a href="https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library">soundness</a> issues as informational advisories, independent of whether they are vulnerabilities or not.
A soundness issue arises when using a crate from safe code can cause <a href="https://doc.rust-lang.org/reference/behavior-considered-undefined.html">Undefined Behavior</a>.</p>
<p>When in doubt, please open a PR.</p>
<h2>FAQ</h2>
<p><strong>Q: Do I need to be owner of a crate to file an advisory?</strong></p>
<p>A: No, anyone can file an advisory against any crate. The legitimacy of
vulnerabilities will be determined prior to merging. If a vulnerability
turns out to be fake, it will be removed from the database.</p>
<p><strong>Q: Can I file an advisory without creating a pull request?</strong></p>
<p>A: Yes, instead of creating a full advisory yourself, you can also
<a href="https://github.com/RustSec/advisory-db/issues">open an issue on the advisory-db repo</a>.</p>
<p><strong>Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?</strong></p>
<p>A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes
have been lifted and details have been disclosed to the public prior to filing
them against RustSec.</p>
<p><strong>Q: Is this where I report a vulnerability in <code>rustc</code>?</strong></p>
<p>A: No, for official Rust projects, please see the <a href="https://www.rust-lang.org/policies/security">Rust Security Policy</a> and follow the guidelines there.</p>
<p><strong>Q: Is this where I report intentionally malicious code or malware present on crates.io?</strong></p>
<p>A: No, please see the <a href="https://crates.io/policies/security">Crates.io Security Policy</a> to get content violating crates.io's policies taken down.</p>
<p><strong>Q: I'm a crate author and someone reported a vulnerability in my crate to me. Can you help me?</strong></p>
<p>A: The Rust Foundation has resources that can help handle Rust ecosystem security issues.
Please see the <a href="https://crates.io/policies/security#ecosystem-security-help">Ecosystem security help for crate authors</a> section of the crates.io security policy.</p>
</article>
</main>
Reference in New Issue View Git Blame Copy Permalink