We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We take the security of ReqStream seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them using one of the following methods:
- Preferred: GitHub Security Advisories - Use the private vulnerability reporting feature
- Alternative: Contact the project maintainers directly through GitHub
Please include the following information in your report:
- Type of vulnerability (e.g., SQL injection, cross-site scripting, etc.)
- Full path of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
After submitting a vulnerability report, you can expect:
- Acknowledgment: We will acknowledge receipt of your vulnerability report promptly
- Investigation: We will investigate the issue and determine its impact and severity
- Updates: We will keep you informed of our progress as we work on a fix
- Resolution: Once the vulnerability is fixed, we will:
- Release a security patch
- Publicly disclose the vulnerability (with credit to you, if desired)
- Update this security policy as needed
- Initial Response: Promptly
- Status Update: Regular updates as investigation progresses
- Fix Timeline: Varies based on severity and complexity
Security updates will be released as:
- Critical vulnerabilities: Patch release as soon as possible
- High severity: Patch release within 30 days
- Medium/Low severity: Included in the next regular release
When using ReqStream, we recommend following these security best practices:
- Always validate YAML input files before processing
- Be cautious when processing requirement files from untrusted sources
- Use the latest version of ReqStream to benefit from security updates
- Keep ReqStream and its dependencies up to date
- Review the release notes for security-related updates
- Use
dotnet list package --vulnerableto check for vulnerable dependencies
- Run ReqStream with the minimum required permissions
- Avoid running ReqStream as a privileged user unless necessary
- Use trusted sources for YAML requirement files
ReqStream processes YAML files which can contain complex nested structures. While we use secure YAML parsing libraries, users should:
- Only process YAML files from trusted sources
- Be aware that maliciously crafted YAML can potentially cause resource exhaustion
- Monitor resource usage when processing large or untrusted YAML files
ReqStream reads and writes files on the local file system. Users should:
- Ensure appropriate file permissions are set on requirement files
- Be cautious when processing files in shared directories
- Validate file paths to prevent directory traversal attacks
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
We will credit security researchers who report vulnerabilities responsibly. If you would like to be credited:
- Provide your name or pseudonym
- Optionally provide a link to your website or GitHub profile
- Let us know if you prefer to remain anonymous
ReqStream relies on third-party packages. We:
- Regularly update dependencies to address known vulnerabilities
- Use Dependabot to monitor for security updates
- Review security advisories for all dependencies
To check for vulnerable dependencies yourself:
dotnet list package --vulnerableFor security concerns, please use GitHub Security Advisories or contact the project maintainers directly through GitHub.
For general bugs and feature requests, please use GitHub Issues.
Thank you for helping keep ReqStream and its users safe!