# oci-spec-rs Security
Security is taken seriously and has high priority across all related projects to
ensure users can trust this project for their systems.
We're extremely grateful for security researchers and users that report
vulnerabilities to the community. All reports are thoroughly investigated by a
set of community volunteers.
## Report a Vulnerability
To make a report, email the vulnerability to the private
[cncf-oci-spec-rs-security@lists.cncf.io](mailto:cncf-crio-security@lists.cncf.io) list
with the security details.
You can expect an initial response to the report within 3 business days.
Possible fixes for vulnerabilities will be then discussed via the mail thread
and can be considered as automatically embargoed until they got merged into all
related branches. A project approver or reviewer (as defined in the
[OWNERS](./OWNERS) file) will coordinate how the pull requests and patches are
being incorporated into the repository without breaking the embargo.
### When Should I Report a Vulnerability?
- You think you discovered a potential security vulnerability
- You are unsure how a vulnerability affects this project
- You think you discovered a vulnerability in another project that oci-spec-rs
depends on (for projects with their own vulnerability reporting and disclosure
process, please report it directly there)
### When Should I NOT Report a Vulnerability?
- You need help tuning components for security
- You need help applying security related updates
- Your issue is not security related