# oci-spec-rs Security Security is taken seriously and has high priority across all related projects to ensure users can trust this project for their systems. We're extremely grateful for security researchers and users that report vulnerabilities to the community. All reports are thoroughly investigated by a set of community volunteers. ## Report a Vulnerability To make a report, email the vulnerability to the private [cncf-oci-spec-rs-security@lists.cncf.io](mailto:cncf-crio-security@lists.cncf.io) list with the security details. You can expect an initial response to the report within 3 business days. Possible fixes for vulnerabilities will be then discussed via the mail thread and can be considered as automatically embargoed until they got merged into all related branches. A project approver or reviewer (as defined in the [OWNERS](./OWNERS) file) will coordinate how the pull requests and patches are being incorporated into the repository without breaking the embargo. ### When Should I Report a Vulnerability? - You think you discovered a potential security vulnerability - You are unsure how a vulnerability affects this project - You think you discovered a vulnerability in another project that oci-spec-rs depends on (for projects with their own vulnerability reporting and disclosure process, please report it directly there) ### When Should I NOT Report a Vulnerability? - You need help tuning components for security - You need help applying security related updates - Your issue is not security related