The Rust Foundation Security Initiative

The Rust Foundation created its Security Initiative in 2021 to advance the state of security in the Rust programming language ecosystem. Thanks to our sponsors and collaborators, we have made a number of critical improvements to Rust’s security landscape through this program – and we’re just getting started.

Jump to:
Get Involved

Rust has many built-in safety advantages
– but broader ecosystem security is a moving target.

In recent years, the Rust programming language has experienced rapid growth in global popularity and adoption. But as software engineers, business leaders, and global governments become more aware of the many advantages of Rust, the need for more scalable security systems and safeguards against bad actors has become urgent.

Through the Security Initiative, we’ve created new open source security tools for Rust developers, conducted audits and threat models, developed a collaborative team of Rust security experts, and much more.

Key Program Activities

brain magnifying glass icon

Developing Rust Security Expertise

Through the Security Initiative, we have hired a full-time Security Engineer and a security-focused Software Engineer who help lead the program and regularly collaborate with members of the Rust Project’s crates.io Team, Infrastructure Team, Security Response Working Group, and Secure Code Working Group, in addition to specific external stakeholders.

tower with warning sign

Threat-Modeling

Threat modeling exercises enable the Rust Foundation and Rust Project to better understand the risks identified by the Security Audit. Details of the threat models we have conducted so far can be found in the progress reports linked below.

checkmark icon

Rust Security Auditing

An audit of the state of security within the Rust ecosystem will allow both the Rust Foundation and Project to anticipate risks better and define how security can be economically maintained on an ongoing basis. Given the size of our team, the community, and the ecosystem at large, we have a unique opportunity to learn hard lessons from other ecosystems and implement appropriate remediations for them at a smaller scale.

book with lock icon

Actionable Security Research

The findings of our work under the Security Initiative have revealed the need for new open source tools and features to enhance maintainers’ security workflows and unlock greater insight into vulnerabilities. To date, our team has created the following new open source Rust security tools:

  • Painter – Creates a complete call graph across the entire crates ecosystem to reveal how crates relate to each other.
    >> Learn more
  • Typomania – Detects potential typosquatting as a reusable library that can be adapted to any registry
    >> Learn more

Key Contributors

  • Joel Marcey

    Joel Marcey

    Director of Technology

    Learn more about Joel Marcey
    Joel Marcey

    Joel Marcey

    Director of Technology

    As the Rust Foundation’s Director of Technology, Joel oversees the technology and engineering programs and initiatives of the Rust Foundation. Prior to joining the Rust Foundation as a founding staff member, Joel worked at Facebook/Meta as a Developer Advocate and ecosystem lead with prominent participation in high-impact standards organizations including Open Web Docs and Ecma.

  • Tobias Bieniek

    Tobias Bieniek

    Software Engineer

    Learn more about Tobias Bieniek
    Tobias Bieniek

    Tobias Bieniek

    Software Engineer

    Tobias Bieniek is the Rust Foundation’s crates.io-focused Software Engineer. He has been involved with the Rust ecosystem since roughly 2015. He started out by working on the intellij-rust project. For the past several years, he has been contributing to the crates.io codebase.

    In 2019, Tobias officially joined the crates.io team. In May 2021, they asked him to co-lead the team. In mid-2022, Tobias applied for the first round of fellowship grants from the Rust Foundation, part of our Community Grants Program.

  • Adam Harvey

    Adam Harvey

    Software Engineer

    Learn more about Adam Harvey
    Adam Harvey

    Adam Harvey

    Software Engineer

    Adam Harvey is the Rust Foundation’s security-focused Software Engineer. He partners with Walter Pearce to carry out priorities identified by our Security Initiative. Adam is a self-described generalist software developer who has worked at a variety of companies and open source projects including New Relic, Sourcegraph, and PHP in the course of his 20-year career. Originally from Western Australia, he has lived in Vancouver, Canada for the past 10 years.

  • Walter Pearce Headshot

    Walter Pearce

    Security Engineer

    Learn more about Walter Pearce
    Walter Pearce Headshot

    Walter Pearce

    Security Engineer

    Walter Pearce is a key leader of the Rust Foundation’s Security Initiative. Walter comes from a 14-year career in security. For the past seven years, he has specialized in offensive security in the gaming industry, leading efforts to find and mitigate vulnerabilities affecting tens of millions of players at Epic Games and Blizzard Entertainment. Before that, he was a security consultant providing penetration testing, red teaming, and code review services for many Fortune 100 companies whose foci included operating systems, languages, and embedded systems. Walter has always had a passion for technical security problems and has built his career helping craft novel solutions to new, challenging issues in security. In his spare time, Walter enjoys playing open source games. He was previously a contributor and member of the Amethyst Game Engine and a lead contributor on other open source game development projects.

The Security Initiative Team Collaborates with these Rust Project Teams & Working Groups:

Program Sponsors

  • alpha-omega
    alpha-omega

    Alpha-Omega

    alpha-omega.dev

    Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. The project aims to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly.

     

    Without founding from Alpha-Omega, the Rust Foundation’s Security Initiative would not have been possible.

  • AWS
    AWS

    AWS

    Joined January, 2021

    aws.amazon.com

    Since 2006, Amazon Web Services (AWS) has been the world’s most comprehensive and broadly adopted cloud. AWS has been continually expanding its services to support virtually any workload, and it now has more than 240 fully featured services for compute, storage, databases, networking, analytics, machine learning and artificial intelligence (AI), Internet of Things (IoT), mobile, security, hybrid, virtual and augmented reality (VR and AR), media, and application development, deployment, and management from 102 Availability Zones within 32 geographic regions, with announced plans for 15 more Availability Zones and five more AWS Regions in Canada, Germany, Malaysia, New Zealand, and Thailand. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—trust AWS to power their infrastructure, become more agile, and lower costs. In addition to serving as a founding Platinum Member of the Rust Foundation, AWS has made generous in-kind and financial donations in support of our Security Initiative.

Security Initiative Progress Reports

More details on Security Initiative activities and progress can be found in the following reports:

In the News:

Security Initiative Stories

Get Involved

Interested in supporting the Security Initiative as a sponsor or in-kind donor? Email us at contact@rustfoundation.org to start a conversation.