Ferron is a fast, memory-safe web server written in Rust, designed for performance and security. This document outlines the security policies and procedures to ensure Ferron remains a secure and reliable software project.
Ferron actively supports the latest stable release and provides security updates for the most recent minor versions. Users are encouraged to upgrade promptly to receive security patches.
Security is a top priority for Ferron. If you discover a vulnerability, please report it responsibly by sending an email message to [email protected].
We strongly discourage public disclosure of vulnerabilities before a fix is released.
To maintain security, we follow these principles:
- Memory safety - Ferron leverages Rust’s ownership model and borrow checker to eliminate memory-related vulnerabilities.
- Minimal attack surface - features are enabled only as needed, reducing exposure to potential threats.
- Regular audits - code is reviewed regularly, and dependencies are monitored for security vulnerabilities.
- Safe defaults - Ferron has some insecure configuration disabled by default, like exposing the server version or directory listings.
Ferron follows industry best practices to maintain a secure development lifecycle:
- Code review - all changes undergo peer review with security checks.
- Dependency management - regularly check and update dependencies to patch known vulnerabilities.
- Responsible disclosure - work with the security community to resolve issues before public disclosure.
In the event of a security breach or vulnerability:
- Triage - assess and prioritize the issue based on severity.
- Mitigation - develop and test a fix.
- Advisory - issue a security advisory with mitigation steps and fixed versions.
- Update users - notify users via release notes and security mailing lists.
For any security concerns, contact us at [email protected]. Stay updated on security patches via our website.
By following this policy, we ensure Ferron remains a secure and trustworthy web server for all users.