From 199e13bd901ec706a603b422602fe02aec64cd5d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 8 Apr 2025 02:02:48 +0000
Subject: [PATCH 1/2] Bump tokio from 1.42.0 to 1.44.2

Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.42.0 to 1.44.2.
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.42.0...tokio-1.44.2)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.44.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Cargo.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 99b82058..3d59f0b1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2327,9 +2327,9 @@ dependencies = [
 
 [[package]]
 name = "tokio"
-version = "1.42.0"
+version = "1.44.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551"
+checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
 dependencies = [
  "backtrace",
  "bytes",
@@ -2344,9 +2344,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-macros"
-version = "2.4.0"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
+checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
 dependencies = [
  "proc-macro2",
  "quote",

From c36b426a4fe140aadb1fd1ba366cd80e25c65c60 Mon Sep 17 00:00:00 2001
From: Pietro Albini <pietro@pietroalbini.org>
Date: Fri, 11 Apr 2025 22:58:28 +0200
Subject: [PATCH 2/2] add scope to the security policy

---
 locales/en-US/security.ftl           | 40 ++++++++++++++++++++++++++++
 templates/policies/security.html.hbs | 10 +++++++
 2 files changed, 50 insertions(+)

diff --git a/locales/en-US/security.ftl b/locales/en-US/security.ftl
index 96d0a572..d5f67bb6 100644
--- a/locales/en-US/security.ftl
+++ b/locales/en-US/security.ftl
@@ -22,6 +22,46 @@ security-reporting-description--2022-01 =
         </ul>
         <p>Please note that the discussion forums are public areas. When escalating in these venues, please do not discuss your issue. Simply say that you’re trying to get a hold of someone from the security team.</p>
 
+security-scope-heading = Scope
+security-scope--2025-04 =
+        <p>The Rust Security Response WG handles vulnerability reports for everything maintained and published by the Rust Project:</p>
+        <ul>
+            <li>
+                The following GitHub organizations, and all repositories and CI pipelines hosted in them:
+                <ul>
+                    <li><a href="https://github.com/rust-lang"><code>rust-lang</code></a></li>
+                    <li><a href="https://github.com/rust-lang-ci"><code>rust-lang-ci</code></a></li>
+                    <li><a href="https://github.com/rust-lang-nursery"><code>rust-lang-nursery</code></a></li>
+                    <li><a href="https://github.com/rust-analyzer"><code>rust-analyzer</code></a></li>
+                </ul>
+            </li>
+            <li>
+                The following domain names, all their subdomains, and all applications hosted within:
+                <ul>
+                    <li><a href="http://rust-lang.org">rust-lang.org</a> (see exceptions below)</li>
+                    <li><a href="http://rustup.rs">rustup.rs</a></li>
+                    <li><a href="http://crates.io">crates.io</a> (see exceptions below)</li>
+                    <li><a href="http://docs.rs">docs.rs</a></li>
+                    <li><a href="http://rfcbot.rs">rfcbot.rs</a></li>
+                </ul>
+            </li>
+            <li>All crates owned by <a href="https://crates.io/users/rust-lang-owner">@rust-lang-owner</a> on <a href="http://crates.io">crates.io</a>.</li>
+            <li>All extensions in the Visual Studio Marketplace published by <a href="https://marketplace.visualstudio.com/publishers/rust-lang"><code>rust-lang</code></a>.</li>
+            <li>All extensions in the Open VSX registry published by <a href="https://open-vsx.org/namespace/rust-lang"><code>rust-lang</code></a>.</li>
+        </ul>
+        <p>The following things are <strong>outside our scope</strong>:</p>
+        <ul>
+            <li>The <a href="http://internals.rust-lang.org">internals.rust-lang.org</a> and <a href="http://users.rust-lang.org">users.rust-lang.org</a> domains. Please follow <a href="https://github.com/discourse/discourse/blob/main/docs/SECURITY.md">Discourse's Security Policy</a> for it.</li>
+            <li>Third-party packages published on <a href="http://crates.io">crates.io</a>. Please follow <a href="https://crates.io/security">crates.io's Security Policy</a> for them.</li>
+        </ul>
+        <p>When reporting vulnerabilities, keep in mind that:</p>
+        <ul>
+            <li>Unless otherwise noted, all components of the Rust toolchain (rustc, Cargo, rust-analyzer, or any other tool shipped through rustup) assume that the user's source code and dependencies are fully trusted, reviewed and contain no malicious code. We do not consider attacks caused by compiling or analyzing malicious projects or dependencies a security vulnerability.</li>
+            <li>Soundness issues in the Rust compiler or language are not automatically classified as a security vulnerability, but will be analyzed on a case-by-case basis if reported.</li>
+            <li>The <code>regex</code> crate <a href="https://docs.rs/regex/latest/regex/#untrusted-input">provides guarantees about untrusted patterns</a>. We consider denial of service with untrusted patterns a security vulnerability only if the time spent inside of the <code>regex</code> crate is not linear, and none of the <a href="https://docs.rs/regex/latest/regex/struct.RegexBuilder.html">limit methods in <code>RegexBuilder</code></a> are able to prevent the attack.</li>
+        </ul>
+        <p>If you have doubts on whether something falls within our scope, <a href="mailto:security@rust-lang.org">please reach out</a> and we will provide guidance.</p>
+
 security-disclosure-heading = Disclosure policy
 security-disclosure-description =
         <p>The Rust project has a 5 step disclosure process.</p>
diff --git a/templates/policies/security.html.hbs b/templates/policies/security.html.hbs
index ebd07225..84e8600c 100644
--- a/templates/policies/security.html.hbs
+++ b/templates/policies/security.html.hbs
@@ -30,6 +30,16 @@
   </div>
 </section>
 
+<section id="scope" class="white">
+  <div class="w-100 mw-none ph3 mw8-m mw9-l center f3">
+    <header>
+      <h2>{{fluent "security-scope-heading"}}</h2>
+      <div class="highlight"></div>
+    </header>
+    {{fluent "security-scope--2025-04"}}
+  </div>
+</section>
+
 <section id="security-disclosure-policy" class="green">
   <div class="w-100 mw-none ph3 mw8-m mw9-l center f3">
     <header>