cesr provides cryptographic primitives (CESR + KERI) for Rust. We take the
security of this crate and the systems that depend on it seriously, and we
appreciate responsible disclosure of vulnerabilities.
Security fixes target the latest released minor line. cesr is 0.x and under
active development (see CLAUDE.md), so a fix that must change
observable behavior is handled as a coordinated release; following the SemVer
0.x convention a breaking fix bumps the minor version.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Report privately through GitHub's built-in advisory workflow:
- Go to the repository's Security tab.
- Click Report a vulnerability (GitHub Private Vulnerability Reporting).
- Provide a clear description, affected version(s), and reproduction steps.
A maintainer will receive your report privately, and you can collaborate on a fix through the same private advisory.
Direct link: https://github.com/devrandom-labs/cesr/security/advisories/new
- The module/feature affected (
core,crypto,stream,utils,keri,serder) and the version or git commit. - A description of the impact (e.g. memory unsafety, panic on untrusted input, incorrect verification, timing leak).
- A minimal reproduction (input bytes, a failing test, or a code snippet).
- Acknowledgement: within 3 business days.
- Triage & severity assessment: within 7 business days.
- Fix & coordinated disclosure: timeline communicated during triage, scaled to severity. We will credit reporters who wish to be acknowledged.
In scope: vulnerabilities in this crate's source — including memory safety, panics on untrusted/malformed input, incorrect cryptographic verification, encoding/decoding correctness that affects security, and supply-chain issues in declared dependencies.
Out of scope: vulnerabilities in downstream applications that merely depend on
cesr, and issues requiring a non-default, explicitly-unsafe configuration.
Every change is gated by nix flake check, which runs cargo audit
(RUSTSEC advisory database) and cargo deny (advisories, license, and source
bans) on the full dependency tree. Dependabot continuously monitors and opens
update pull requests, and CodeQL scans first-party Rust source on pull requests.