The following versions of ADK-Rust are currently supported with security updates:
| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| 0.4.x | ✅ |
| 0.3.x | ❌ |
| 0.2.x | ❌ |
| 0.1.x | ❌ |
We recommend always using the latest version to benefit from security patches and improvements.
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, report vulnerabilities via one of these methods:
- Email: Send details to security@zavora.ai
- GitHub Security Advisories: Use GitHub's private vulnerability reporting
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if available)
- Your contact information for follow-up
- Initial Response: Within 48 hours of receiving your report
- Status Update: Within 7 days with our assessment
- Resolution Target: Critical vulnerabilities within 30 days, others within 90 days
- Acknowledgment: We'll confirm receipt of your report
- Investigation: Our team will investigate and validate the issue
- Communication: We'll keep you informed of our progress
- Credit: With your permission, we'll acknowledge your contribution in the security advisory
- We follow coordinated disclosure practices
- We request a 90-day disclosure window to address vulnerabilities
- Security advisories will be published after fixes are available
When using ADK-Rust in your applications:
- Keep dependencies up to date
- Store API keys and secrets securely (use environment variables, not code)
- Validate and sanitize all inputs to agents
- Use guardrails for input/output validation
- Review agent outputs before taking automated actions
- Implement proper authentication for server deployments
This security policy applies to:
- All ADK-Rust crates published on crates.io
- The official repository at github.com/zavora-ai/adk-rust
- Official documentation and examples
Third-party integrations and forks are outside the scope of this policy.
For security-related questions that aren't vulnerabilities, you can reach us at security@zavora.ai.