| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| 1.1.x | ✅ |
| < 1.1 | ❌ |
We recommend always using the latest version for the best security.
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the form with details about the vulnerability
This ensures the vulnerability is handled privately until a fix is released.
If you cannot use GitHub Security Advisories, contact the maintainer directly. Include:
- Subject:
[SECURITY] Brief description - Description: Detailed explanation of the vulnerability
- Steps to Reproduce: How to trigger the vulnerability
- Impact Assessment: Potential impact and severity
- Suggested Fix: If you have one (optional)
| Stage | Timeframe |
|---|---|
| Initial Response | Within 48 hours |
| Vulnerability Confirmation | Within 7 days |
| Patch Development | Varies by severity |
| Security Advisory Published | Upon fix release |
- Vulnerability Type: (e.g., path traversal, injection, DoS)
- Affected Component: Which module/file is affected
- Affected Versions: Which versions contain the vulnerability
- Steps to Reproduce: Minimal steps to demonstrate the issue
- Proof of Concept: Code or commands (if safe to share)
- CVSS score estimate
- CVE references (if known)
- Suggested mitigation
- Whether you want credit in the advisory
The following are considered valid security concerns:
- Path traversal attacks (tarfile extraction, file paths)
- Remote code execution (command injection, unsafe deserialization)
- Denial of service (resource exhaustion, infinite loops)
- Information disclosure (log leakage, credential exposure)
- Dependency vulnerabilities (with proof of exploitability)
- Authentication/Authorization bypasses (if applicable)
- Symlink attacks (in file extraction or handling)
The following are NOT considered security vulnerabilities:
- Vulnerabilities in dependencies without proof of exploitation
- Issues requiring physical access to the machine
- Social engineering attacks
- Spam or phishing attacks
- Denial of service via excessive API usage (rate limiting is documented)
- Bugs that don't have security implications
| Feature | Status | Description |
|---|---|---|
| Path Traversal Protection | ✅ | Validates crate names and extraction paths |
| Symlink Attack Protection | ✅ | Blocks symlinks pointing outside extraction directory |
| Input Validation | ✅ | Validates crate names against allowed patterns |
| Dependency Scanning | ✅ | CodeQL and Bandit scan on every PR |
| License Compliance | ✅ | cargo-license integration |
| Security Auditing | ✅ | cargo-deny integration for advisories |
When contributing, please:
- Never log secrets - Avoid logging API keys, tokens, or credentials
- Validate all inputs - Especially paths, URLs, and user-provided data
- Use parameterized queries - If adding database functionality
- Avoid
shell=True- Use list-based subprocess calls - Handle errors safely - Don't expose internal details in error messages
- Day 0: Vulnerability reported
- Day 1-2: Initial triage and acknowledgment
- Day 3-7: Vulnerability confirmed and assessed
- Day 7-30: Patch developed and tested
- Day 30-45: Coordinated disclosure with reporter
- Day 45+: Public advisory and fix release
| Severity | Response Time | Description |
|---|---|---|
| Critical | 24-48 hours | Remote code execution, authentication bypass |
| High | 72 hours | Data exposure, significant DoS |
| Medium | 7 days | Limited impact vulnerabilities |
| Low | 30 days | Minimal impact, defense in depth |
We consider security research conducted in good faith to be authorized and will not pursue legal action against researchers who:
- Act in good faith - Make reasonable efforts to avoid privacy violations, data destruction, and service disruption
- Report promptly - Submit findings through the proper channels
- Allow reasonable time - Give us time to respond before public disclosure
- Don't exploit - Don't use the vulnerability beyond proof of concept
Security advisories are published through:
- GitHub Security Advisories - Primary notification channel
- Release Notes - Mentioned in CHANGELOG
- PyPI - New version with security fix
To receive notifications, Watch the repository and enable security alerts.
- GitHub Security Advisories: Preferred method
- Maintainer: Dave Tofflemire (@Superuser666-Sigil)
We appreciate responsible disclosure and will acknowledge security researchers in our advisories (unless they prefer to remain anonymous).
Contributors who have helped improve our security will be listed here.
Thank you for helping keep Sigil Pipeline secure! 🔒