As RustIRC is currently in development, security updates will be provided for:
| Version | Supported |
|---|---|
| main | ✅ |
| develop | ✅ |
| < 1.0 | ❌ |
Once we reach 1.0, we will maintain security updates for the current major version and the previous major version.
We take security vulnerabilities seriously. If you discover a security vulnerability in RustIRC, please follow these steps:
Security vulnerabilities should not be reported through public GitHub issues.
Send an email to: security@rustirc.org (once established)
Or use GitHub's private vulnerability reporting:
- Go to the Security tab in the repository
- Click "Report a vulnerability"
- Fill out the form with details
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 1 week
- We will work on a fix and coordinate disclosure
- Keep RustIRC Updated - Always use the latest version
- Use TLS/SSL - Always connect to IRC servers using TLS
- Strong Passwords - Use strong, unique passwords for IRC services
- Script Safety - Only install scripts from trusted sources
- Plugin Verification - Verify plugin signatures before installation
- Input Validation - Always validate and sanitize user input
- Memory Safety - Leverage Rust's memory safety features
- Dependency Audit - Regularly audit dependencies with
cargo audit - Secure Defaults - Default to secure configurations
- Principle of Least Privilege - Scripts and plugins run with minimal permissions
- Sandboxed Scripting - Lua and Python scripts run in restricted environments
- TLS by Default - Secure connections preferred
- SASL Authentication - Support for secure authentication methods
- Input Sanitization - Protection against IRC protocol injection
- Resource Limits - Prevent resource exhaustion attacks
- Secure Storage - Credentials stored securely using platform keychains
- Private Disclosure - Vulnerabilities are disclosed privately to affected parties
- Patch Development - We develop patches in private repositories
- Coordinated Release - Patches are released simultaneously with disclosure
- Credit - Security researchers are credited (unless they prefer anonymity)
- CVE Assignment - Critical vulnerabilities receive CVE identifiers
RustIRC undergoes regular security reviews:
- Automated scanning with
cargo audit - Dependency review with Dependabot
- Code review for all security-related changes
- Planned third-party audit before 1.0 release
- Security Email: security@rustirc.org (to be established)
- GitHub Security Advisories: Via repository Security tab
- General Inquiries: Use GitHub Discussions
Thank you for helping keep RustIRC secure!