Updates to the security policy #2176

pietroalbini · 2025-07-28T10:23:42Z

The PR makes multiple changes to our security policy:

Clarifies which branches we support (latest stable, beta, nightly).
Clarifies we only email distros@openwall when the vulnerability is relevant to them (this is our standard practice anyway).
Mentions that we loop relevant members of the Rust team in vulnerabilities, who review the fixes.
Removes the 6 hours delay notice for the blog post, as in the last few years we always published it at the same time as the announcement in the mailing list.
Adds information on when we publish CVE records, as requested by MITRE.
Removes the prompt to encrypt emails with gpg.

cc @rust-lang/security

pietroalbini added 6 commits July 28, 2025 11:56

clarify which release branches are supported

4cb44cd

clarify that distros@openwall is notified only when relevant

ceda3a0

clarify how fixes are nowadays handled

3a361d7

the blog post is published immediately

1f1472b

add details about cve

5a49db3

stop sending us encrypted emails thx

1cb7581

pietroalbini requested review from Manishearth and cuviper July 28, 2025 10:23

pietroalbini requested a review from a team as a code owner July 28, 2025 10:23

Manishearth merged commit baa8db4 into master Jul 28, 2025
2 checks passed

Manishearth deleted the pa-security-updates branch July 28, 2025 13:05

pietroalbini mentioned this pull request Jul 28, 2025

Deploy to production #2177

Merged

Provide feedback