Statement on Global Regulations

Rust’s greatest strength is its community of maintainers, contributors, and users. Our community is a global one, with participants from dozens of countries worldwide. The Rust Foundation’s mission is to support this international effort and we welcome and rely on contributors from all over.

US Export Controls #

The Rust Foundation is also a US-based organization and we recognize that in the United States, the export of certain software products and technical information is regulated by the Export Administration Regulations (EAR), which are administered by the Bureau of Industry and Security (BIS), a division of the US Department of Commerce. This statement reflects our understanding of how these regulations relate to the Rust Foundation’s activities. We are grateful to the Linux Foundation for their guidance to open source communities on this issue, which we draw on here.

Open Source Development #

The Rust Foundation’s core purpose is to support the collaborative development of the free and open source Rust programming language. The Rust project is developed in the open and made available to the public freely, subject only to the conditions of the applicable open source licenses. Published software, including open source software, is generally not subject to the EAR.1

Open Source Encryption Software #

While open source encryption software is also exempt from the EAR,2 open source projects that implement non-standard encryption are required to send a notice to the BIS and the National Security Agency (NSA), identifying the location of the project’s source code.3 The Rust Foundation works with Rust maintainers to ensure that appropriate notices are sent where required.

Security Vulnerability Pre-Disclosure Lists #

To mitigate the impact of security vulnerabilities on the Rust community, the Rust Project maintains a security policy that encourages the private disclosure of vulnerability information to the Rust security team, and provides for the pre-disclosure of security fixes via the Rust security mailing shortly before their public disclosure. Materials submitted privately, with the intention that they will be made publicly available if accepted for publication, are deemed “published” and therefore not controlled under the EAR.4

Other Activities #

In addition to supporting the collaborative development of open source software, the Rust Foundation hosts meetings related to the governance of the Foundation of the Rust project, and produces events to support and develop the Rust community. Attending these meetings and events (telephonically or in person), participating in training on open source technologies, and providing membership or sponsorship funds are all activities that do not involve the exchange of EAR-controlled technology and are not subject to the EAR.

1 15 C.F.R. §734.7(a) & 742.15(b).
2 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption.
3 15 CFR § 742.15(b).
4 15 CFR § 734.7(a)(5).