Skip to content

Latest commit

 

History

History
37 lines (24 loc) · 2.04 KB

SECURITY.md

File metadata and controls

37 lines (24 loc) · 2.04 KB

Reporting security issues

All security issues should be reported to the author at [email protected].

We try to follow the RFPolicy, but with an initial response time of 2 weeks maximum. In practice, however, the initial response will most often be faster.

Please clearly indicate in the subject line, that it is about a security issue. Providing many details about the issue makes it easier and faster to fix.

Once a security issue has been confirmed and a fixed version has been released, an advisory will be submitted to the RustSec Advisory Database.

Thank you for taking the time to report and improve this project!

Threat model

The following are threats, which are considered out-of-scope for Orion.

  • Any side-channel other than timing-based
  • Hardware-related issues
  • Leaking sensitive memory[1]
  • Timing-based side-channels when not building in release mode

[1] Wiping sensitive memory is performed on a best-effort approach. However, sensitive memory being wiped or not leaked, cannot be guaranteed. See more in the wiki.

Supported versions

Currently, only the latest version, released on crates.io, receives testing and is supported with security fixes.

There is no guarantee that a version, containing a security fix, will be SemVer-compatible to the previous one.

Backporting security fixes to older versions will be considered on an ad hoc basis.

Yanking policy

Any version which is affected by a security issue, will be yanked. Even though we try to provide it, there is no guarantee that a SemVer-compatible version, containing a fix, will be available at the time of yanking.

Recommended best practices

These are recommendations on how to use Orion correctly:

  • Use cargo audit to ensure the current version has no published security vulnerabilities
  • Never use opt-level=0, always build in release mode
  • Always use the latest version of Orion