We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them using GitHub's private security advisory system: go to this repository's Security tab and click "Report a vulnerability" to open a private report with the maintainers.

When reporting, please include:

1. Description: A clear description of the vulnerability
2. Impact: The potential impact if exploited
3. Reproduction steps: Detailed steps to reproduce the issue
4. Affected versions: Which versions are affected
5. Suggested fix: If you have one (optional)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Assessment: We will assess the vulnerability and determine its severity
• Updates: We will keep you informed of our progress
• Resolution: We aim to resolve critical issues within 30 days
• Credit: With your permission, we will credit you in the security advisory

gRPCServer.jl implements network protocols that require careful security consideration:

• Frame parsing and validation
• Stream multiplexing limits
• Flow control enforcement
• Header size limits

• Dynamic table size limits (potential for memory exhaustion)
• Huffman decoding validation
• Protection against compression bombs

• Certificate validation
• Cipher suite selection
• Protocol version enforcement
• ALPN negotiation

• Message size limits (max_message_size configuration)
• Concurrent stream limits (max_concurrent_streams configuration)
• Input validation on protobuf messages
• Error message information disclosure (controlled via debug_mode)

When deploying gRPCServer.jl in production:

1. Enable TLS: Always use TLS in production environments

   tls_config = TLSConfig(
       cert_chain = "/path/to/cert.pem",
       private_key = "/path/to/key.pem",
       min_version = :TLSv1_2
   )
   server = GRPCServer(host, port; tls = tls_config)

2. Disable debug mode: Never enable debug_mode in production

   server = GRPCServer(host, port; debug_mode = false)

3. Set appropriate limits: Configure message and stream limits

   server = GRPCServer(host, port;
       max_message_size = 4 * 1024 * 1024,  # 4MB
       max_concurrent_streams = 100
   )

4. Use mTLS for service-to-service: Enable client certificate authentication

   tls_config = TLSConfig(
       cert_chain = "/path/to/cert.pem",
       private_key = "/path/to/key.pem",
       client_ca = "/path/to/ca.pem",
       require_client_cert = true
   )

5. Implement authentication interceptors: Add authentication logic

   struct AuthInterceptor <: Interceptor end
   
   function (::AuthInterceptor)(ctx, request, info, next)
       token = get_metadata_string(ctx, "authorization")
       if !validate_token(token)
           throw(GRPCError(StatusCode.UNAUTHENTICATED, "Invalid token"))
       end
       return next(ctx, request)
   end

gRPCServer.jl depends on:

• ProtoBuf.jl: Message serialization
• OpenSSL.jl: TLS implementation
• CodecZlib.jl: Compression

Security vulnerabilities in these dependencies may affect gRPCServer.jl. We monitor for updates and will release patches as needed.

This project has not yet undergone a formal security audit. Security review plans will be documented in this repository once available.

We thank the security researchers who help keep gRPCServer.jl secure. Contributors will be acknowledged here (with permission).