If you find a security vulnerability in the Logos compiler, please do not open a public GitHub issue. Email the maintainer directly:

shammyali@gmail.com

Include:

• A description of the vulnerability.
• A reproduction (a minimal .logos source file, a CLI invocation, or both).
• Your assessment of the impact.
• Whether you'd like credit in the eventual fix announcement.

You'll get a reply within 7 days. Most reports get triaged within 48 hours.

The Logos compiler is a tool. The kinds of issues that we treat as security-grade:

• Memory safety bugs in the compiler itself. Crashes, use-after-free, buffer overflows in the Rust code. Most should be impossible by virtue of Rust's safety guarantees, but unsafe blocks (none currently) or compiler bugs could change that.
• Denial-of-service via malicious source. A .logos file that triggers infinite memory consumption, infinite loops, or stack overflow in the compiler.
• Code injection via source. A .logos file that causes the compiler to execute arbitrary code from the host system.
• Path traversal in CLI commands. A path argument that escapes the working directory in ways the user didn't intend.
• Information disclosure. Error messages or compiler output that reveal data from outside the source file.

These are not security issues (file them as normal bugs):

• Programs that the type checker allows but ought to reject. That's a soundness bug, file it normally.
• Generated code that has bugs. The synthesis layer is correctness-critical (v0.6+), but bugs there are correctness issues, not security issues, unless they cause one of the categories above.
• The user choosing to write programs that do bad things. Logos is a general-purpose programming language. If you write a Logos program that deletes files, that's not a Logos security issue.

The maintainer will:

1. Confirm the report within 48 hours.
2. Verify the vulnerability and assess impact within 7 days.
3. Develop and test a fix.
4. Coordinate disclosure with the reporter.
5. Publish a security advisory and patched release.

The default disclosure timeline is 90 days from initial report, in line with industry norms. Critical vulnerabilities with active exploitation may move faster; minor issues may move slower with mutual agreement.

While Logos is in v0.0.x, only the latest tagged release is supported. Patches are not backported to earlier v0.0 versions.

This will tighten as the project approaches v1.0:

• v0.1 — v1.0: latest minor version supported
• v1.0+: previous one major version supported (1.x patches when 2.x is current)

Reporters of confirmed security issues are acknowledged in the corresponding security advisory, unless they request otherwise.