Security Policy#
Supported Versions#
| Version | Supported |
|---|---|
| 0.5.x | ✅ Active |
| < 0.5 | ❌ No longer maintained |
Reporting a Vulnerability#
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues by emailing security@memgar.com with:
- A description of the vulnerability and its potential impact
- Steps to reproduce (proof-of-concept code is helpful)
- Any suggested mitigations you've identified
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 14 days for critical issues.
Scope#
In-scope vulnerabilities include:
- Bypass of threat detection (false-negative evasion techniques that evade all 4 layers)
- Pickle RCE via
_RestrictedUnpicklerallowlist bypass - SSRF via
FeedLoader(_ALLOWED_HOSTSbypass) - Path traversal via
MEMGAR_CACHE_DIR - Feed signature forgery (Ed25519 bypass)
- Gzip bomb bypass (decompression limits)
Out of scope: issues in third-party dependencies (report those upstream), rate limiting bypasses, and low-severity informational findings.
Disclosure Policy#
We follow coordinated disclosure. Once a fix is released, we will:
- Publish a CVE (if applicable)
- Credit the reporter in the release notes (unless anonymity is requested)
- Update
CHANGELOG.mdwith a security advisory entry
Bug Bounty#
We do not currently operate a paid bug bounty program, but we recognize responsible reporters in our release notes and CONTRIBUTORS file.