All security issues should be reported using either GitHub private vulnerability reporting or email the author at brycx@protonmail.com.
We try to follow the RFPolicy, but with an initial response time of 2 weeks maximum. In practice, however, the initial response will most often be faster.
Please clearly indicate in the subject line, that it is about a security issue. Providing many details about the issue makes it easier and faster to fix.
Once a security issue has been confirmed and a fixed version has been released, an advisory will be submitted to the RustSec Advisory Database.
Thank you for taking the time to report and improve this project!
The following are threats, which are considered out-of-scope for Orion.
- Any side-channel other than timing-based
- Hardware-related issues
- Leaking sensitive memory[1]
- Timing-based side-channels when not building in release mode
[1] Wiping sensitive memory is performed on a best-effort approach. However, sensitive memory being wiped or not leaked, cannot be guaranteed. See more in the wiki.
Currently, only the latest version, released on crates.io, receives testing and is supported with security fixes.
There is no guarantee that a version, containing a security fix, will be SemVer-compatible to the previous one.
Backporting security fixes to older versions will be considered on an ad hoc basis.
Any version which is affected by a security issue, will be yanked. Even though we try to provide it, there is no guarantee that a SemVer-compatible version, containing a fix, will be available at the time of yanking.
These are recommendations on how to use Orion correctly:
- Use
cargo auditto ensure the current version has no published security vulnerabilities - Never use
opt-level=0, always build in release mode - Always use the latest version of Orion