| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1 | No |
Users on unsupported versions should upgrade to the latest release. Please review the release notes when upgrading.
We take the security of Stringy seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, use one of the following channels:
- GitHub Private Vulnerability Reporting (preferred)
- Email support@evilbitlabs.io encrypted with our PGP key (verify the full fingerprint below before use)
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
In scope:
- Crashes or out-of-bounds reads when parsing crafted ELF, PE, or Mach-O binaries
- Denial of service via pathological input (excessive memory or CPU)
- Path traversal in file input handling
- Command injection via CLI arguments
- Unsafe code in dependencies that affects Stringy
Out of scope:
- Vulnerabilities in the underlying OS binary loaders
- Issues requiring physical access to the machine running Stringy
- Social engineering attacks
Note: This is a passion project with volunteer maintainers. Response times are best-effort and may vary based on maintainer availability.
- We will acknowledge receipt of your report within 1 week
- We will provide an initial assessment within 2 weeks
- We aim to release a fix within 90 days of confirmed vulnerabilities
- We will coordinate disclosure through a GitHub Security Advisory
- We will credit you in the advisory (unless you prefer to remain anonymous)
We ask that you:
- Give us reasonable time to respond to issues before any disclosure
- Avoid accessing or modifying other users' data
- Avoid actions that could negatively impact other users
Stringy includes several security-focused features:
- No unsafe code:
#![forbid(unsafe_code)]is enforced project-wide - Memory-safe parsing: All binary format parsing uses bounds-checked Rust libraries (goblin, pelite)
- Graceful error handling: Malformed inputs produce errors, not crashes
- Dependency auditing:
cargo-auditandcargo-denyrun in CI - Automated dependency updates: Via Dependabot
- Supply chain transparency: CycloneDX SBOMs and Sigstore attestations per release
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts you own or with explicit permission of the account holder
- Report vulnerabilities through the channels described above
We will not pursue legal action against researchers who follow this policy.
Fingerprint: F839 4B2C F0FE C451 1B11 E721 8F71 D62B F438 2BC0
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaLJmxhYJKwYBBAHaRw8BAQdAaS3KAoo+AgZGR6G6+m0wT2yulC5d6zV9lf2m
TugBT+O0L3N1cHBvcnRAZXZpbGJpdGxhYnMuaW8gPHN1cHBvcnRAZXZpbGJpdGxh
YnMuaW8+iNcEExYKAH8DCwkHRRQAAAAAABwAIHNhbHRAbm90YXRpb25zLm9wZW5w
Z3Bqcy5vcmexd21FpCDfIrO7bf+T6hH/8drbGLWiuEueWvSTyw4T/QMVCggEFgAC
AQIZAQKbAwIeARYhBPg5Syzw/sRRGxHnIY9x1iv0OCvABQJpiUiCBQkIXQE5AAoJ
EI9x1iv0OCvAm2sA/AqFT6XEULJCimXX9Ve6e63RX7y2B+VoBVHt+PDaPBwkAP4j
39xBoLFI6KZJ/A7SOQBkret+VONwPqyW83xfn+E7Arg4BGiyZsYSCisGAQQBl1UB
BQEBB0ArjU33Uj/x1Kc7ldjVIM9UUCWMTwDWgw8lB/mNESb+GgMBCAeIvgQYFgoA
cAWCaLJmxgkQj3HWK/Q4K8BFFAAAAAAAHAAgc2FsdEBub3RhdGlvbnMub3BlbnBn
cGpzLm9yZ4msIB6mugSL+LkdT93+rSeNePtBY4Aj+O6TRFU9aKiQApsMFiEE+DlL
LPD+xFEbEechj3HWK/Q4K8AAALEXAQDqlsBwMP2XXzXDSnNNLg8yh1/zQcxT1zZ1
Z26lyM7L6QD+Lya5aFe74WE3wTys5ykGuWkHYEgba+AyZNmuPhwMGAc=
=9zSi
-----END PGP PUBLIC KEY BLOCK-----
For general security questions, open a GitHub Issue. For vulnerability reports, use Private Vulnerability Reporting or email support@evilbitlabs.io.
Thank you for helping keep Stringy and its users secure!