Skip to content

Security: OneVoris/VMem

Security

SECURITY.md

Security Policy

Reporting

Report vulnerabilities through the hosting platform's private security-reporting mechanism. Do not open a public issue for an unpatched vulnerability.

Include affected versions, configuration, platform, impact, a minimal reproducer, and any suspected cross-repository dependency.

Supported Versions

Until the first stable release, only the newest development line receives security fixes. A supported-version matrix will be added before 1.0.

Security Boundaries

  • Integer overflow and invalid alignment.
  • Use-after-free and wrong-owner release.
  • Resource exhaustion and budget bypass.
  • Allocator metadata corruption.

Expectations

  • Peer-controlled sizes, counts, nesting, queues, and work have hard limits.
  • Secure defaults cannot be disabled implicitly by missing configuration.
  • Secrets and untrusted payloads are not written to normal logs.
  • Third-party security updates are tracked at provider boundaries.
  • Security fixes include regression tests and coordinated upstream/downstream releases when required.

There aren't any published security advisories