Do not open a public GitHub issue for security vulnerabilities. Public issues are visible to attackers before they're fixed.
Instead, use one of these private channels:
- GitHub Security Advisories (preferred)
- Go to the repo's Security tab β "Report a vulnerability"
- This creates a private advisory only maintainers can see
- Email the maintainer at
swatelite2506@gmail.com- Subject prefix:
[phyriad-security] - PGP key: not currently published; plain email is acceptable
- Subject prefix:
When reporting, please include:
- Affected version (
git rev-parse HEADor release tag) - Affected component (pillar name, e.g.,
framework/pool) - Threat model assumed (e.g., "untrusted task fn from network", "shared-memory IPC with a malicious peer")
- Reproduction steps or PoC if you have one
- Impact assessment (information disclosure, RCE, DoS, etc.)
- Suggested fix (optional but appreciated)
Phyriad is a library, not a service. Most CVEs in libraries fall into a few categories β Phyriad's interpretation:
| Class | Severity | In scope? |
|---|---|---|
| Memory safety in framework code (UAF, OOB, double-free) | π΄ Critical | β Yes |
| Data races / lock-free correctness bugs that lead to memory safety | π΄ Critical | β Yes |
| Information disclosure across security boundaries (e.g., uninit memory in IPC payload) | π High | β Yes |
phyriad::ipc::ShmRegion deserialisation bugs (the seqlock contract) |
π High | β Yes |
| Schema-hash collisions exploitable for cross-version masquerade | π High | β Yes |
Plugin loader path traversal (phyriad::plugin::PluginLoader) |
π High | β Yes |
| Denial of service via bench / fuzz inputs to framework | π‘ Medium | β Yes |
| Build system issues (CMake injection in user-controlled paths) | π‘ Medium | β Yes |
| Performance regression > 10% | π’ Functional bug, not security | β Use a regular issue |
| Application-level bugs in Ayama (the showcase app) | π‘ Medium | β Yes (separate component) |
| Build issues unrelated to security | n/a | β Use a regular issue |
Untrusted task functions are NOT a Phyriad-level threat. If your
application accepts arbitrary void(*)(void*) noexcept from the network,
that's an application-level decision and your responsibility. Phyriad
provides a thread pool, not a sandbox.
We aim for coordinated disclosure:
| Day | Action |
|---|---|
| 0 | You report the issue privately |
| β€ 3 | Maintainer acknowledges receipt |
| β€ 14 | Maintainer assesses severity, opens private advisory |
| β€ 30 | Maintainer proposes a fix (longer for complex issues) |
| Fix ready | Coordinate disclosure date with reporter |
| Public release | CVE / GHSA published; CHANGELOG entry; reporter credited (with consent) |
For critical issues (active exploitation, no workaround), we publish a hotfix release as soon as the fix is ready, then disclose.
For lower severity issues, we batch into the next regular release.
| Version | Status | Security fixes? |
|---|---|---|
| Pre-1.0 (current) | Active development | β Best effort |
| 1.0.x (when released) | Stable | β Yes |
| < 1.0 after 1.0 ships | EOL | β Upgrade to 1.0 |
| Each major version after release | Supported for 12 months minimum past next major | β Yes |
Specifically: when 2.0 releases, the latest 1.x continues to receive
security fixes for 12 months. After that, users should upgrade.
Phyriad has several APIs that cross trust boundaries. Bugs in these are higher-priority for security review:
- Trust assumption: the SHM region peer is trusted. A malicious peer CAN exploit a torn-read or schema-mismatch bug.
- Hardening: schema-hash check at open + seqlock protocol + size validation.
- Known limitation: if the peer process modifies the header magic
without bumping the seq counter, readers may observe inconsistent
state. This is documented in
ShmRegion.hpp.
- Trust assumption: plugin .so/.dll paths come from a trusted source (config file, signed by the application).
- Hardening: no symbol resolution from untrusted strings; relies on the OS dynamic linker.
- Known limitation: a malicious plugin with valid signature can do anything within the process. Not Phyriad's responsibility to sandbox.
- Trust assumption: the task
fnpointer is application-controlled. - Hardening: Phyriad does NOT validate
fnpointer; the application must ensurefnis callable + noexcept + non-null. - Out of scope: defending against malicious task fns. Use OS-level sandboxing (seccomp, restricted token, etc.) if your application takes task fns from untrusted sources.
- Trust assumption: peers agree on the schema-hash of wire types.
- Hardening: SHA-128 hash of the canonical type signature; collision resistance is the hash's job.
- Known limitation: an intentional collision crafted by an attacker with control over both peers could mismatch types. Mitigation: pin schema hashes in code, validate on connect.
Phyriad's CI runs:
- ASan + UBSan on every PR (clang 18 + libc++)
- TSan on every PR (clang 18 + libc++)
- Weekly full sanitizer sweep on
main - Linux-only currently β Windows sanitizer CI is on the P3 follow-up list
Pre-release we run all of the above plus manual fuzzing on:
- Schema parsing
- SHM region open/read
These are not exhaustive β please report sanitizer findings even if you saw them in your local build.
We thank security researchers who responsibly disclose. With your permission, contributors get credit in:
CHANGELOG.mdentry for the version that fixes the issue- This file's hall of fame (below)
- The GitHub Security Advisory
(No reports yet β Phyriad is pre-1.0.)
- CONTRIBUTING.md β general contribution workflow
- CODE_OF_CONDUCT.md β community standards
- RELEASE.md β versioning policy
- docs/STL_AVOIDANCE_AUDIT.md β perf discipline (relevant for understanding lock-free correctness)