As async-inspect is currently in pre-1.0 development, only the latest minor version receives security updates. We recommend always using the latest version.

async-inspect is a debugging and observability tool designed for development and production monitoring. It does not:

• Handle authentication or authorization
• Process untrusted user input directly
• Make network requests
• Execute arbitrary code

When using async-inspect in production:

1. Sampling: Enable sampling to reduce overhead and data exposure

   Config::global().set_sampling_rate(100); // Track 1 in 100 tasks

2. Ring Buffer: Use bounded memory to prevent unbounded growth

   Timeline::with_ring_buffer(10_000);

3. Dashboard Access: The web dashboard (if enabled) binds to localhost by default. If exposing externally, implement appropriate access controls.

We take security seriously. If you discover a security vulnerability, please report it responsibly.

For security vulnerabilities, please DO NOT open a public GitHub issue.

Instead, please report security issues via one of these methods:

1. GitHub Security Advisories (Preferred)

   • Go to the Security tab
   • Click "Report a vulnerability"
   • Provide details about the vulnerability

2. Email

   • Send details to: async-inspect@ibrahimcesar.com
   • Use subject line: [SECURITY] async-inspect vulnerability report
   • Include PGP encryption if desired (key available on request)

Please provide:

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Any suggested fixes (optional)

• Initial Response: Within 48 hours
• Assessment: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: Within 24-48 hours
  • High: Within 7 days
  • Medium: Within 30 days
  • Low: Next scheduled release

• We follow coordinated disclosure
• We will credit reporters in the security advisory (unless anonymity is requested)
• We aim to release fixes before public disclosure
• We will notify you when the fix is released

// Full tracking for debugging
Config::global().debug_mode();

use async_inspect::config::Config;

// Minimal overhead configuration
Config::global().production_mode();

// Or manually configure:
Config::global().set_sampling_rate(100);
Config::global().set_track_awaits(false);
Config::global().enable_adaptive_sampling();

async-inspect captures task names and metadata. Avoid including sensitive information in:

• Task names
• Custom event data
• Log messages that flow through the timeline

// Avoid this:
inspector.register_task(format!("process_user_{}", user_email)); // Leaks PII

// Prefer this:
inspector.register_task(format!("process_user_{}", user_id)); // Use opaque IDs

We regularly audit dependencies using:

cargo audit

Current dependency security status is tracked in our CI pipeline. Known advisories are documented in release notes.

Security-sensitive optional dependencies:

Disable features you don't need:

[dependencies]
async-inspect = { version = "0.1", default-features = false, features = ["tokio", "cli"] }

• Initial release
• No known security vulnerabilities

Thank you for helping keep async-inspect and its users safe!