# Security Policy
## Supported Versions
| 0.2.x | :white_check_mark: |
| 0.1.x | :white_check_mark: |
| < 0.1 | :x: |
## Reporting a Vulnerability
If you discover a security vulnerability within rok-utils, please follow these steps:
1. **Do NOT** open a public GitHub issue for the vulnerability.
2. Send an email to the maintainer with:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (optional)
3. Wait for acknowledgment from the maintainer (typically within 48 hours).
4. Once the vulnerability is confirmed and a fix is ready:
- A security advisory will be created on GitHub
- The fix will be released in a patch version
- Credit will be given to the reporter (unless anonymity is requested)
## Security Best Practices
When using rok-utils, consider these security best practices:
### Cryptographic Operations
- Use `secure_compare` for timing-safe comparisons (e.g., API keys, tokens)
- Use `hash_sha256` for password hashing (though for production, consider `argon2` or `bcrypt`)
- Generate tokens with `generate_token` for cryptographic randomness
### Input Validation
- Always validate user input before processing with string utilities
- Use `RokError::ValidationFailure` for structured validation errors
### Error Handling
- Never expose internal error details to end users in production
- Log errors securely without leaking sensitive information
## Dependencies
rok-utils keeps dependencies minimal and reviews them regularly:
- Heavy cryptographic dependencies (sha2, md-5, subtle) are feature-gated
- All dependencies are reviewed for security vulnerabilities
- We aim to use well-established, audited crates
## Thank You
We appreciate the security research community's efforts to make rok-utils safer for everyone.