Rust Foundation Establishes Security Team to Support and Advance Rust Programming Language

OpenSSF Alpha-Omega funding and JFrog’s commitment of security researcher time establishes dedicated security team at the Foundation

DUBLIN, September 13, 2022 - The Rust Foundation, the nonprofit organization dedicated to supporting and sustaining the Rust programming language, today announced it is establishing a dedicated security team. The team is being underwritten with generous support from the OpenSSF’s Alpha-Omega Initiative, which partners with open source software projects and maintainers to improve the global software supply chain security, and Rust Foundation’s newest Platinum member JFrog.

“There’s often a misperception that because Rust ensures memory safety that it’s one hundred percent secure, but Rust can be vulnerable just like any other language and warrants proactive measures to protect and sustain it and the community,” said Bec Rumbul, Executive Director at the Rust Foundation. “With the establishment of the Rust Foundation Security Team, we will be able to support the broader Rust community with the highest-level of security talent and help ensure the reliability of Rust for everyone. Of course, this is just a start. We hope to continue to build out the team in the coming months and years.”

These investments from Alpha-Omega and JFrog include dedicated staff resources that will enable the Rust Foundation to create and implement security best practices. The first initiative for the new Security Team will be to undertake a security audit and threat modeling exercises to identify how security can be economically maintained going forward. The team will also help advocate for security practices across the Rust landscape, including Cargo and Crates.io, and will be a resource for the maintainer community.

The OpenSSF suggested in its 10-Point Open Source Security Mobilization Plan released earlier this year that the industry work to eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages with Rust and Go. As a result, the OpenSSF’s Alpha-Omega Initiative has made a grant to the Rust Foundation to support a dedicated security engineer. Alpha-Omega is funded by Google and Microsoft with a mission of direct engagement to improve the security of OSS projects. “We’re learning how to turn money into security,” said Michael Winser and Michael Scovetta, co-directors of the project.

“The Rust programming language shows great promise for a more secure global supply chain, and the Rust Foundation is the home for this work,” said Brian Behlendorf, GM, OpenSSF. “We are looking forward to seeing the Rust Foundation’s Security Team get started and collaborating on this important work.”

JFrog just last week announced it is joining the Rust Foundation at the Platinum level. As part of the company’s investment in the Rust Foundation and ecosystem, JFrog has committed members of its Security Research team to work on the Rust Foundation Security Team. JFrog joins AWS, Google, Huawei, Meta, Microsoft, and Mozilla at the Platinum level.

“The Rust Foundation provides the forum for collaboration among all Rust stakeholders and is the natural home for a dedicated security team,” said Stephen Chin, VP of Developer Relations, JFrog. “We believe it’s the responsibility of all of us who use Rust to contribute resources for the greater good of the community, and providing world class researchers from the JFrog Security team is one of the ways we are supporting the Rust ecosystem.”

About the Rust Foundation #

The Rust Foundation is the nonprofit organization dedicated to supporting and sustaining the Rust programming language through virtual and in-person collaboration, training and education, open governance and technical infrastructure. For more information, please visit: https://foundation.rust-lang.org/