If you discover a security vulnerability in rskit, please report it privately using one of the following channels:

1. Preferred: GitHub Security Advisories — opens a private disclosure thread visible only to maintainers.
2. Alternative: Email the maintainers (see MAINTAINERS.md) with subject prefix [SECURITY].

Do not open a public GitHub issue for security reports.

• A clear description of the issue and its potential impact.
• Steps to reproduce, including a minimal proof-of-concept if possible.
• The affected version(s) and rustc toolchain.
• Any suggested mitigations or fixes.

• Acknowledgment within 48 hours of your report.
• Status update within 5 business days with an assessment.
• Fix timeline communicated once the issue is confirmed.
• CVE assignment for confirmed vulnerabilities affecting released versions, requested via GitHub Security Advisories. Where applicable, a matching RUSTSEC advisory is also filed.
• Credit in the release notes and the advisory (unless you prefer to remain anonymous).

• We follow coordinated disclosure.
• Please allow a reasonable embargo period (typically 90 days) before any public disclosure, extendable by mutual agreement when a fix requires coordination across downstream consumers.
• Once a fix is released, the advisory is published and CVE / RUSTSEC IDs are made public.

When using rskit in production:

• Keep dependencies up to date (cargo update && cargo deny check).
• Use the rskit-encryption crate for sensitive data at rest.
• Configure TLS via the rskit-server / rskit-httpclient crates for all network communication — never disable certificate verification in production.
• Never commit secrets — use environment variables or secret managers (rskit-config integrates with dotenvy and env-var layering).
• Review cargo audit and cargo deny check advisories findings regularly. CI runs both on every push.
• Avoid unwrap() / expect() in library code — see CONTRIBUTING.md.
• Any unsafe block must carry a // SAFETY: comment justifying the invariant.

• All GitHub Actions used in CI are pinned to commit SHAs (see .github/workflows/).
• Dependency updates are automated via Dependabot (.github/dependabot.yml).
• The Rust toolchain is pinned via rust-toolchain.toml; CI enforces this invariant. The Cargo.lock is committed and checked via cargo update --locked.
• Releases are signed with Sigstore (cosign) via the release workflow. SBOMs (CycloneDX, generated by cargo-cyclonedx) are attached to each release.
• Supply-chain policy is enforced by cargo-deny via deny.toml: banned crates, license allowlist, advisory database, and source allowlist.