Security Policy
Supported Versions
We release security updates for the following versions of Core Web:
| Version |
Supported |
| 1.x.x |
:white_check_mark: |
| < 1.0 |
:x: |
Reporting a Vulnerability
If you discover a security vulnerability in Core Web, please follow these steps:
- Do not create a public issue on GitHub
- Send an email to our security team at security@core-web.example.com
- Include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible mitigations you’ve identified
Response Time
We strive to respond to security vulnerability reports within 48 hours. Our team will:
- Acknowledge receipt of your report
- Investigate the issue
- Develop and test a fix
- Release a security update
- Publicly disclose the vulnerability (credit given to reporters)
Security Measures
Core Web implements several security measures:
- Regular dependency updates via Dependabot
- Automated security scanning in CI pipeline
- Code review requirements for all pull requests
- Secure coding practices following Rust community guidelines
- Regular penetration testing
Known Vulnerabilities
We are aware of the following security vulnerabilities in our dependencies:
RSA Timing Attack (RUSTSEC-2023-0071)
- Severity: Medium (5.9)
- Description: Marvin Attack - potential key recovery through timing sidechannels in the rsa crate
- Status: No fixed upgrade available
- Mitigation: We are monitoring the rsa crate for updates and will upgrade as soon as a fixed version is available. In the meantime, we recommend using strong key lengths and limiting exposure of RSA operations to trusted environments.
We actively monitor security advisories and work to address vulnerabilities as quickly as possible.
Security Best Practices
When using Core Web in your projects, we recommend:
- Keep Core Web and all dependencies up to date
- Use environment variables for sensitive configuration
- Implement proper authentication and authorization
- Regularly audit your dependencies
- Monitor security advisories for Rust and dependencies
Additional Resources