Strengthening Rust Security with Alpha-Omega: A Progress Update

With both ongoing and additional funding from Alpha-Omega, the Rust Foundation is building tools, practices, and partnerships that make the Rust programming language ecosystem—and open source—more secure. 

As the steward of the Rust programming language, the Rust Foundation believes that safety and security are the topmost priorities for all open source communities. We also believe that Rust is one of the most powerful tools we have to further secure and sustain open source.

Although the Rust Foundation was founded on these principles, we would not have been able to achieve or so meaningfully tackle our security goals for the Rust ecosystem without the continued, generous support of OpenSSF’s Alpha-Omega Project. Through ongoing general funding from Alpha-Omega and additional project-focused donations, we have had the necessary tools and resources to establish a growing team of in-house talent who regularly dedicate time to collaborating with Rust Project maintainers to tackle key security priorities in Rust. 

Alpha-Omega has enabled the Rust Foundation to take on a breadth of important security work, which readers can track across the past several years in updates like our Security Initiative Report from February 2024, our most recent Technology Report, and all of our Annual Reports over the past few years. 

While we plan to publish a comprehensive 2025 Technology Report this summer detailing our engineering work in various areas including our Security Initiative, our team wanted to share an update on what we have been able to accomplish through Alpha-Omega’s generous donations thus far in 2025 and share several exciting funding updates. 

• Crate Provenance Tracking Now Live – Our Technology team has deployed tooling that traces the provenance of every crate published to crates.io—enhancing transparency and trust for maintainers, consumers, and downstream integrators.
• Typomania and Painter Reach Maturity – Our two flagship open source tools—Typomania, which flags potential typosquatting packages, and Painter, which maps transitive dependencies—have seen adoption from both Rust maintainers and external security researchers.
• Expanded Threat-Modeling – In early 2025, we published updated threat models for the crates.io ecosystem and Rust’s core infrastructure. These models are helping align community-wide efforts around shared security assumptions and mitigation strategies.
• Real-Time Crate Scanning Pilots Underway – We are developing and deploying crate scanning infrastructure that will scan for vulnerabilities and malware in real time, reducing time-to-detection for malicious or vulnerable packages.
• Rust-Focused Implementation of Capslock – Thanks to additional support from Alpha-Omega, we are now beginning to flesh out a Rust-focused implementation of Capslock – a capability analysis CLI, originally developed for Go packages, that informs users of which privileged operations a given package can access. The deliverable for this project is an experimental Cargo subcommand, that we are tentatively calling cargo-cgsec, that analyses a Rust target and emits call graph data in the language-independent Capslock ingestion format, lists security advisories that may apply to supply chain dependencies, and map Rust programs to actual capabilities.
• Implementation of Trusted Publishing for crates.io – Also with additional, dedicated support from Alpha-Omega, we’re contributing engineering resources to implement Trusted Publishing for crates.io based on the RFC, authored by Matthew Trostel at Sentry with support from by William Woodruff at Trail of Bits. Trusted publishing is used to strengthen the security posture around the supply chain of publishing Rust crates by reducing the risk of credential leaks and streamlining release workflows. The crates.io implementation of trusted publishing would utilize principles from the already existing PyPI implementation and align with the OpenSSF’s principles for package repository security.

Looking ahead: 

Our Security Initiative has no plans to slow down in the second half of this year! Throughout the rest of 2025, our team will focus on key foundational improvements like:

• Officially rolling out trusted publishing for crates on crates.io.
• Deliver a prototype of cargo-cgsec.
• Completing a Rust Project goal by providing an MVP implementation of The Update Framework (TUF) for crates.io & releases to enable signed metadata and integrity verification across the ecosystem. This is a sidecar deployment of the full TUF suite for out-of-band usage and proving out the MVP to the broader Rust Project. 
• Gaining official acceptance of the TUF RFC.
• Growing partnerships with safety-critical industries via the Safety-Critical Rust Consortium and targeted threat modeling workshops.

Thank you, Alpha-Omega!

Without the support of Alpha-Omega, we would neither have been able to accomplish the Security Initiative milestones listed above nor tackle the exciting challenges that remain this year. Alpha-Omega has empowered the Rust Foundation to develop new tooling and methods to close critical security gaps in Rust, and to proactively strengthen the Rust ecosystem’s long-term resilience. Through this partnership and the collaboration with security-focused Rust Project maintainers, we are benefitting the people, organizations, and systems deeply invested in Rust. 

Today, the Rust Foundation is particularly grateful to Alpha-Omega for contributing an additional $216K to the Rust Foundation to support our work in implementing Trusted Publishing for crates.io and creating a Rust-focused implementation of Capslock.
Alpha-Omega’s continued investment in the Rust Foundation’s Security Initiative reflects a shared belief: that Rust is uniquely positioned to advance the future of secure software. Its memory safety guarantees, strong type system, and growing adoption across industries make it a powerful foundation for building software that underpins everything from consumer applications to national infrastructure. By investing in Rust’s security now, we’re helping ensure a safer, more resilient digital future for everyone.