| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously. If you discover a security vulnerability in Munition, please report it responsibly.
Email: security@hyperpolymath.dev (or open a confidential issue)
Do NOT:
- Open a public GitHub/GitLab issue for security vulnerabilities
- Disclose the vulnerability publicly before we've had a chance to address it
| Action | Timeline |
|---|---|
| Initial acknowledgement | Within 24 hours |
| Initial assessment | Within 72 hours |
| Status update | Weekly until resolved |
| Fix development | Based on severity |
| Public disclosure | After fix is released |
| Severity | Description | Target Resolution |
|---|---|---|
| Critical | Remote code execution, sandbox escape | 24-48 hours |
| High | Privilege escalation, data exposure | 7 days |
| Medium | Denial of service, information disclosure | 30 days |
| Low | Minor issues, hardening improvements | Next release |
When reporting a vulnerability, please include:
- Description: Clear explanation of the vulnerability
- Impact: What an attacker could achieve
- Reproduction: Step-by-step instructions to reproduce
- Environment: OS, Elixir/Erlang versions, Wasmex version
- Proof of Concept: If available (please don't test on production systems)
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations and data destruction
- Report vulnerabilities promptly
- Give us reasonable time to address the issue before public disclosure
- Do not exploit the vulnerability beyond what's necessary for proof
Munition is designed with security as a core principle:
- Capability Attenuation: Untrusted code runs with minimal privileges
- Memory Isolation: Each execution gets fresh, isolated memory
- Fuel Bounding: Guaranteed termination prevents resource exhaustion
- Forensic Capture: All failures are captured for analysis
See ARCHITECTURE.md for detailed security architecture.
- Host Functions: Custom host functions must be implemented securely
- Timing Attacks: Side-channel attacks via timing are theoretically possible
- Resource Limits: Memory allocation before instantiation is not bounded
- WASM Vulnerabilities: We depend on Wasmtime's security; monitor their advisories
We monitor security advisories for:
- Wasmex / Wasmtime
- Erlang/OTP
- Elixir
Run mix deps.audit to check for known vulnerabilities.
Security updates are announced via:
- GitLab releases (with security label)
- CHANGELOG.md entries
- Direct notification to affected users (if contact available)
We maintain a list of security researchers who have responsibly disclosed vulnerabilities in SECURITY-ACKNOWLEDGMENTS.md (created after first disclosure).