| Version | Supported |
|---|---|
| 0.7.x | ✅ |
| < 0.7 | ❌ |
Only the latest 0.x release receives security fixes. Upgrade with:
pip install --upgrade scpn-controlIf you discover a security vulnerability in SCPN Control, please report it responsibly:
- Preferred: GitHub Security Advisories
- Email: protoscience@anulum.li (subject:
[SECURITY] SCPN Control) - Do not open a public GitHub issue for security vulnerabilities.
We will acknowledge receipt within 48 hours and aim to provide a fix within 7 days for critical issues.
SCPN Control is a simulation and control library. It does not handle user authentication, financial data, or network services in its default configuration. Security concerns are primarily:
- Malicious input files (JSON configs, GEQDSK equilibria, NumPy
.npz) - Unsafe deserialization (serde, pickle, NumPy load)
- Numerical overflow / denial of service via pathological inputs
- Native code memory safety (Rust crates via PyO3)
- Supply chain integrity (dependency audit via
cargo-deny)
- Input validation: Public API boundaries enforce finite-float, integer,
fraction, and 1D-array checks via
core/_validators.py. - Rust:
cargo denysupply-chain policy enforced in CI. - Checkpoint hygiene:
torch.load(..., weights_only=True)by default. - RNG isolation: All stochastic modules use scoped
numpy.random.Generator. - Pre-commit: ruff, mypy, cargo fmt, merge-conflict, private-key detection.
- No fuzzing harness yet (Hypothesis covers many paths).
- No third-party security audit.
- No CVE history.
Contributions to improve security coverage are welcome.