Skip to content

Security: catancs/seqfw

Security

SECURITY.md

Security Policy

seqfw is a security tool: a validation firewall meant to sit at the trust boundary in front of memory-unsafe genomic parsers. We hold its own code and its disclosure practices to that standard.

Reporting a vulnerability

Please do not open a public issue for a security vulnerability.

Report privately through GitHub's "Report a vulnerability" form (repository → SecurityAdvisories). This opens a private advisory that only the maintainers can see.

Please include:

  • the affected version / commit,
  • a minimal description of the issue and its impact,
  • repro steps. For a structural reproducer (a small, hand-built file that demonstrates the shape of the problem) attach it directly. For anything that could function as a live exploit against an unpatched third-party parser, describe it — do not attach a weaponized file; we will arrange a safe channel.

We aim to acknowledge a report within 5 working days and to agree on a disclosure timeline with you. We will credit reporters who want credit.

What counts as a seqfw vulnerability

In scope — a flaw in seqfw itself, e.g.:

  • a malformed input that makes seqfw crash, hang, or exhaust memory (the tool is supposed to bound exactly these), including any path that escapes the decompression-bomb, line-length, or index-size guards;
  • a malicious input that seqfw reports as clean when it should be rejected (a validation bypass);
  • any memory-safety defect in the Rust core, CLI, or Python bindings.

Out of scope — vulnerabilities in the downstream parsers seqfw protects (htslib, samtools, BioPython, …). Report those to their respective projects. seqfw's job is to reduce your exposure to them, not to fix them.

Our disclosure ethics (how the benchmark corpus is built)

The benchmark/ harness demonstrates that seqfw blocks inputs that crash real, unmodified parsers. To do that responsibly:

  • Reproducers are patch-gated. We only build reproducers for bugs that are already disclosed and fixed upstream (e.g. CVE-2020-36403 on pinned htslib 1.10.2). Nothing is shipped that targets an unfixed issue.
  • Reproducers are structural and self-built. They are minimal files that exercise the shape of a known defect, generated by our own scripts behind a patch gate — not captured weaponized samples. See benchmark/PROVENANCE.md.
  • No live crasher is shipped for any issue without a public fix.

This mirrors what we ask of reporters above, and follows the dual-use / responsible-disclosure stance in the design spec (§11).

Supported versions

seqfw is pre-1.0. Security fixes land on main and in the latest release. Until 1.0, only the latest published version is supported.

There aren't any published security advisories