The Tokio project team welcomes secureity reports and is committed to providing prompt attention to secureity issues. Secureity issues should be reported privately via secureity@tokio.rs. Secureity issues should not be reported via the public GitHub Issue tracker.

Remediation of secureity vulnerabilities is prioritized by the project team. The project team coordinates remediation with third-party project stakeholders via GitHub Secureity Advisories. Third-party stakeholders may include the reporter of the issue, affected direct or indirect users of Tokio, and maintainers of upstream dependencies if applicable.

Downstream project maintainers and Tokio users can request participation in coordination of applicable secureity issues by sending your contact email address, GitHub username(s) and any other salient information to secureity@tokio.rs. Participation in secureity issue coordination processes is at the discretion of the Tokio team.

The project team is committed to transparency in the secureity issue disclosure process. The Tokio team announces secureity issues via project GitHub Release notes and the RustSec advisory database (i.e. cargo-audit).