seqfw is a security tool: a validation firewall meant to sit at the trust
boundary in front of memory-unsafe genomic parsers. We hold its own code and its
disclosure practices to that standard.
Please do not open a public issue for a security vulnerability.
Report privately through GitHub's "Report a vulnerability" form (repository → Security → Advisories). This opens a private advisory that only the maintainers can see.
Please include:
- the affected version / commit,
- a minimal description of the issue and its impact,
- repro steps. For a structural reproducer (a small, hand-built file that demonstrates the shape of the problem) attach it directly. For anything that could function as a live exploit against an unpatched third-party parser, describe it — do not attach a weaponized file; we will arrange a safe channel.
We aim to acknowledge a report within 5 working days and to agree on a disclosure timeline with you. We will credit reporters who want credit.
In scope — a flaw in seqfw itself, e.g.:
- a malformed input that makes
seqfwcrash, hang, or exhaust memory (the tool is supposed to bound exactly these), including any path that escapes the decompression-bomb, line-length, or index-size guards; - a malicious input that
seqfwreports as clean when it should be rejected (a validation bypass); - any memory-safety defect in the Rust core, CLI, or Python bindings.
Out of scope — vulnerabilities in the downstream parsers seqfw protects (htslib,
samtools, BioPython, …). Report those to their respective projects. seqfw's job
is to reduce your exposure to them, not to fix them.
The benchmark/ harness demonstrates that seqfw blocks inputs that crash real,
unmodified parsers. To do that responsibly:
- Reproducers are patch-gated. We only build reproducers for bugs that are already disclosed and fixed upstream (e.g. CVE-2020-36403 on pinned htslib 1.10.2). Nothing is shipped that targets an unfixed issue.
- Reproducers are structural and self-built. They are minimal files that
exercise the shape of a known defect, generated by our own scripts behind a
patch gate — not captured weaponized samples. See
benchmark/PROVENANCE.md. - No live crasher is shipped for any issue without a public fix.
This mirrors what we ask of reporters above, and follows the dual-use / responsible-disclosure stance in the design spec (§11).
seqfw is pre-1.0. Security fixes land on main and in the latest release. Until
1.0, only the latest published version is supported.