Advisory metadata is stored in TOML format (see below). The following tools consume the data and can be used for auditing and reporing (send PRs to add yours):

cargo-audit: Audit Cargo.lock files for crates with security vulnerabilities

Reporting Vulnerabilities

To report a new vulnerability, open a pull request using the template below. See CONTRIBUTING.md for more information.

Format

Each advisory contains information in TOML format:

[advisory]
package = "mypackage"

# Versions which were never vulnerable
unaffected_versions = ["< 1.1.0"]

# Versions which include fixes for this vulnerability
patched_versions = [">= 1.2.0"]

# Vulnerability aliases (e.g. CVE IDs). Optional but recommended.
# Request a CVE for your RustSec vulns: https://iwantacve.org/
aliases = ["CVE-2018-XXXX"]

# References to related vulnerabilities (Optional)
# e.g. CVE for a C library wrapped by a -sys crate)
references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]

# URL to a long-form description of this issue, e.g. a blogpost announcing
# the release or a changelog entry (optional)
url = false

# Single-line description of a vulnerability
title = "Flaw in X allows Y"

# Disclosure date of the advisory (RFC 3339)
date = "2017-02-25"

# Enter a short-form description of the vulnerability here (required)
description = """
Affected versions of this crate did not properly X.

This allows an attacker to Y.
 
The flaw was corrected by Z.
"""

License

All content in this repository is placed in the public domain.