To add an advisory to the RustSec database, open a Pull Request against this repository containing the new advisory:
- Create a file named
RUSTSEC-0000-0000.tomlin thecrates/<yourcratename>subdirectory of this repository (you may need to create it if it doesn't exist) - Copy and paste the TOML advisory template from the README.md file in this repo. Delete the comments and additional whitespace, and fill it out with the details of the advisory.
- Open a Pull Request. After being reviewed your advisory will be assigned
a
RUSTSEC-*advisory identifier and be published to the database. - (Optional, but recommended) Request a CVE for your vulnerability: https://iwantacve.org/
RustSec is a database of security vulnerabilities. The following are examples of qualifying vulnerabilities:
- Code Execution (i.e. RCE)
- Memory Corruption
- Privilege Escalation (either at OS level or inside of an app/library)
- File Disclosure / Directory Traversal
- Web Security (e.g. XSS, CSRF)
- Format Injection, e.g. shell escaping, SQL injection (and also XSS)
- Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage)
- Covert Channels (e.g. Spectre, Meltdown)
- Panics in code advertised as "panic-free" (particularly if useful for network DoS attacks)
When in doubt, please open a PR.