|
4 | 4 | policies-security-page-title = 安全政策 |
5 | 5 | security-reporting-heading = 报告漏洞 |
6 | 6 | security-reporting-link = 给 { ENGLISH("[email protected]") } 发邮件 |
| 7 | +security-reporting-description--2025-07 = |
| 8 | + <p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that Rust has a secure implementation. Thank you for taking the time to responsibly disclose any issues you find.</p> |
| 9 | + <p>All security bugs in the Rust distribution should be reported by email to { -security-at-rust-lang-org-anchor }. This list is delivered to a small security team. Your email will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.</p> |
| 10 | + <p>This email address receives a large amount of spam, so be sure to use a descriptive subject line to avoid having your report be missed. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. As recommended by <a href="{ -wikipedia-rfpolicy-href }">RFPolicy</a>, these updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours.</p> |
| 11 | + <p>If you have not received a reply to your email within 48 hours, or have not heard from the security team for the past five days, there are a few steps you can take (in order):</p> |
| 12 | + <ul> |
| 13 | + <li> |
| 14 | + Contact both the security coordinators directly: |
| 15 | + <ul> |
| 16 | + <li>{ -security-coordinator-1-email-anchor }</li> |
| 17 | + <li>{ -security-coordinator-2-email-anchor }</li> |
| 18 | + </ul> |
| 19 | + </li> |
| 20 | + <li>Post on the <a href="{ -internals-rust-lang-org-href }">internals forums</a></li> |
| 21 | + </ul> |
| 22 | + <p>Please note that the discussion forums are public areas. When escalating in these venues, please do not discuss your issue. Simply say that you’re trying to get a hold of someone from the security team.</p> |
| 23 | +
|
| 24 | +security-scope-heading = Scope |
| 25 | +security-scope--2025-04 = |
| 26 | + <p>The Rust Security Response WG handles vulnerability reports for everything maintained and published by the Rust Project:</p> |
| 27 | + <ul> |
| 28 | + <li> |
| 29 | + The following GitHub organizations, and all repositories and CI pipelines hosted in them: |
| 30 | + <ul> |
| 31 | + <li><a href="https://github.com/rust-lang"><code>rust-lang</code></a></li> |
| 32 | + <li><a href="https://github.com/rust-lang-ci"><code>rust-lang-ci</code></a></li> |
| 33 | + <li><a href="https://github.com/rust-lang-nursery"><code>rust-lang-nursery</code></a></li> |
| 34 | + <li><a href="https://github.com/rust-analyzer"><code>rust-analyzer</code></a></li> |
| 35 | + </ul> |
| 36 | + </li> |
| 37 | + <li> |
| 38 | + The following domain names, all their subdomains, and all applications hosted within: |
| 39 | + <ul> |
| 40 | + <li><a href="http://rust-lang.org">rust-lang.org</a> (see exceptions below)</li> |
| 41 | + <li><a href="http://rustup.rs">rustup.rs</a></li> |
| 42 | + <li><a href="http://crates.io">crates.io</a> (see exceptions below)</li> |
| 43 | + <li><a href="http://docs.rs">docs.rs</a></li> |
| 44 | + <li><a href="http://rfcbot.rs">rfcbot.rs</a></li> |
| 45 | + </ul> |
| 46 | + </li> |
| 47 | + <li>All crates owned by <a href="https://crates.io/users/rust-lang-owner">@rust-lang-owner</a> on <a href="http://crates.io">crates.io</a>.</li> |
| 48 | + <li>All extensions in the Visual Studio Marketplace published by <a href="https://marketplace.visualstudio.com/publishers/rust-lang"><code>rust-lang</code></a>.</li> |
| 49 | + <li>All extensions in the Open VSX registry published by <a href="https://open-vsx.org/namespace/rust-lang"><code>rust-lang</code></a>.</li> |
| 50 | + </ul> |
| 51 | + <p>The following things are <strong>outside our scope</strong>:</p> |
| 52 | + <ul> |
| 53 | + <li>The <a href="http://internals.rust-lang.org">internals.rust-lang.org</a> and <a href="http://users.rust-lang.org">users.rust-lang.org</a> domains. Please follow <a href="https://github.com/discourse/discourse/blob/main/docs/SECURITY.md">Discourse's Security Policy</a> for it.</li> |
| 54 | + <li>Third-party packages published on <a href="http://crates.io">crates.io</a>. Please follow <a href="https://crates.io/security">crates.io's Security Policy</a> for them.</li> |
| 55 | + </ul> |
| 56 | + <p>When reporting vulnerabilities, keep in mind that:</p> |
| 57 | + <ul> |
| 58 | + <li>Unless otherwise noted, all components of the Rust toolchain (rustc, Cargo, rust-analyzer, or any other tool shipped through rustup) assume that the user's source code and dependencies are fully trusted, reviewed and contain no malicious code. We do not consider attacks caused by compiling or analyzing malicious projects or dependencies a security vulnerability.</li> |
| 59 | + <li>Soundness issues in the Rust compiler or language are not automatically classified as a security vulnerability, but will be analyzed on a case-by-case basis if reported.</li> |
| 60 | + <li>The <code>regex</code> crate <a href="https://docs.rs/regex/latest/regex/#untrusted-input">provides guarantees about untrusted patterns</a>. We consider denial of service with untrusted patterns a security vulnerability only if the time spent inside of the <code>regex</code> crate is not linear, and none of the <a href="https://docs.rs/regex/latest/regex/struct.RegexBuilder.html">limit methods in <code>RegexBuilder</code></a> are able to prevent the attack.</li> |
| 61 | + </ul> |
| 62 | + <p>If you have doubts on whether something falls within our scope, <a href="mailto:[email protected]">please reach out</a> and we will provide guidance.</p> |
| 63 | +
|
7 | 64 | security-disclosure-heading = 信息披露政策 |
8 | 65 | security-disclosure-description = |
9 | 66 | <p>Rust 项目有 5 步披露流程:</p> |
|
0 commit comments