We take the security of Cosmian CLI seriously. If you discover a security vulnerability, please report it responsibly by following these steps:
Please do not report security vulnerabilities through public GitHub issues. Instead, please use one of the following methods:
- GitHub Security Advisories (Preferred): Use the private vulnerability reporting feature on GitHub
- Email: Send details to [email protected]
When reporting a vulnerability, please include as much of the following information as possible:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information
- Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours
- Investigation: We will investigate and validate the vulnerability within 5 business days
- Fix Development: We will work to develop and test a fix as quickly as possible
- Disclosure: We will coordinate the disclosure timeline with you
The following table lists security advisories that are currently being tracked or have been assessed for this project (as configured in deny.toml):
| ID | Description | Status | Reason |
|---|---|---|---|
| RUSTSEC-2023-0071 | RSA Marvin Attack: potential key recovery through timing side channels | Ignored | Temporary; waiting for upstream fix. |
| RUSTSEC-2024-0436 | Transitive dependency (paste) unmaintained in agnostic_lite |
Ignored | Temporary; pending upstream migration to pastry. Tracked at al8n/agnostic#26. |
- RUSTSEC-2023-0071: The
rsacrate is affected by a timing side-channel vulnerability known as the Marvin Attack, which could potentially allow key recovery. This advisory is currently ignored in our tracking as we await an upstream fix. - RUSTSEC-2024-0436:
pasteis no longer maintained. The advisory surfaces via a transitive dependency chain inagnostic_lite. Upstream is expected to migrate topastry; we are tracking progress and will update when available.
Note: cargo-deny may report issues from optional or feature-gated dependencies because our configuration collects metadata with all features enabled (see deny.toml), even if those dependencies aren't compiled in release builds.
When using Cosmian CLI, we recommend:
- Keep Updated: Always use the latest supported version
- Secure Configuration: Follow the security configuration guidelines in our documentation
- Network Security: Prefer secure endpoints (HTTPS/TLS) for KMS and Findex servers
- Access Control: Implement proper authentication and authorization on connected services
- Monitoring: Enable logging and monitoring for security events on your servers
Cosmian CLI can operate against Cosmian KMS built in FIPS mode. For FIPS-compliant deployments, ensure the target KMS uses OpenSSL 3.2.0 in FIPS mode and that your CLI is configured accordingly.
This project tracks and manages security advisories using cargo-deny and related tooling. Relevant configuration files include deny.toml. By configuration, cargo-deny collects metadata with all features enabled, which can surface advisories from optional dependencies for visibility; CI pipelines may run advisory and license checks.
For general security questions or concerns, please contact us at [email protected].
For immediate security issues, please use the private reporting methods described above.