| Version | Supported |
|---|---|
| 2.x | ✅ |
| 1.x | ❌ |
If you discover a security vulnerability in STATE, please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Use GitHub Security Advisories to report privately
- Or email: hyperpolymath@proton.me with subject "STATE Security"
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Target: Within 30 days for critical issues
This security policy covers:
- The STATE Guile Scheme library (
lib/) - STATE.scm template files
- Example configurations
- User-generated STATE.scm files
- Third-party minikanren implementations
- Issues in Guile Scheme itself
STATE.scm files may contain personal information (name, roles, project names, file paths).
Recommendations:
- Do not commit STATE.scm files with sensitive data to public repositories
- Review files before sharing
- Use
.gitignoreto exclude personal state files
STATE.scm files are Scheme code and will be evaluated when loaded.
Mitigations:
- Only load STATE.scm files from trusted sources
- Review files before loading in Guile REPL
- The library modules do not execute arbitrary code from state files
- Minimal Dependencies: Core functionality has no external dependencies
- No Network Access: STATE does not make network requests
- No File System Writes: Library only reads state, never writes automatically
- Sandboxed Evaluation: State data is treated as data, not executable code