diff options
| author | Jonathan Foote <jonathan@foote.pub> | 2020-04-29 15:37:09 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-29 12:37:09 -0700 |
| commit | 1d280608366d15728ac0983ef71e5ea389e0169d (patch) | |
| tree | f3dd034db2ce3a280dbaa4bd768fe8f8c623c1ac /SECURITY.md | |
| parent | 947045b9445f15fb9314ba0892efa2251076ae73 (diff) | |
chore: add initial security policy (#2360)
Adds an initial security policy based on email discussions with @carllerche,
@hawkw, and co.
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..bf155ff9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +## Report a security issue + +The Tokio project team welcomes security reports and is committed to providing prompt attention to security issues. Security issues should be reported privately via [security@tokio.rs](mailto:security@tokio.rs). Security issues should not be reported via the public Github Issue tracker. + +## Vulnerability coordination + +Remediation of security vulnerabilities is prioritized by the project team. The project team coordinates remediation with third-party project stakeholders via [Github Security Advisories](https://help.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories). Third-party stakeholders may include the reporter of the issue, affected direct or indirect users of Tokio, and maintainers of upstream dependencies if applicable. + +Downstream project maintainers and Tokio users can request participation in coordination of applicable security issues by sending your contact email address, Github username(s) and any other salient information to [security@tokio.rs](mailto:security@tokio.rs). Participation in security issue coordination processes is at the discretion of the Tokio team. + +## Security advisories + +The project team is committed to transparency in the security issue disclosure process. The Tokio team announces security issues via [project Github Release notes](https://github.com/tokio-rs/tokio/releases) and the [RustSec advisory database](https://github.com/RustSec/advisory-db) (i.e. `cargo-audit`). |