We take security seriously for the Vais programming language compiler. The following versions are currently supported with security updates:
| Version | Supported | Status |
|---|---|---|
| 0.1.x | ✅ | Development |
| < 0.1.0 | ❌ | Pre-release |
Note: Vais is currently in active development (version 0.1.x). Security updates will be applied to the latest development version. Once we reach 1.0.0, we will maintain security support for the current major version and the previous major version.
-
Compiler Inputs:
- Source code files (
.vais) - Import/module paths
- CLI arguments
- Configuration files
- Source code files (
-
Generated Code:
- LLVM IR
- Native binaries
- FFI declarations
-
Runtime Components:
- Plugin system (native shared libraries)
- Playground server (remote code execution)
- Package registry
- Code Injection: Malicious LLVM IR generation
- Path Traversal: Unauthorized file system access via imports
- Resource Exhaustion: DoS via compiler bombs (deep recursion, macro expansion)
- FFI Misuse: Type safety violations at FFI boundaries
- Supply Chain: Compromised dependencies or packages
The following are not considered security vulnerabilities:
- Bugs in user-written Vais code (use our security analyzer:
vais-security) - Performance issues that don't lead to DoS
- Compilation errors on malformed input (expected behavior)
- Behaviors explicitly documented as unsafe
DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities to:
Email: security@vais.dev (if not available, create a GitHub Security Advisory)
GitHub Security Advisory:
- Go to https://github.com/vaislang/vais/security/advisories
- Click "New draft security advisory"
- Fill out the form with details
Please include the following information in your report:
- Description: Clear description of the vulnerability
- Impact: What an attacker could achieve
- Reproduction Steps: Minimal steps to reproduce
- Proof of Concept: Example code or commands (if safe to include)
- Environment: OS, compiler version, relevant configuration
- Suggested Fix: If you have ideas (optional)
Subject: [SECURITY] Stack overflow in parser via deep recursion
Description:
The Vais parser can be crashed with deeply nested expressions, causing
a stack overflow and denial of service.
Impact:
An attacker can crash the compiler or any service using it (including
the playground server) by submitting crafted Vais source code.
Reproduction:
1. Create a file with 10,000 nested parentheses: (((((...))))
2. Run: vaisc input.vais
3. Observe: Stack overflow crash
Environment:
- Vais version: 0.1.0
- OS: macOS 14.0 (also tested on Linux)
- Command: vaisc build deep.vais
Suggested Fix:
Add MAX_RECURSION_DEPTH constant and track depth in Parser struct.
We are committed to addressing security vulnerabilities promptly:
| Severity | First Response | Fix Target | Disclosure |
|---|---|---|---|
| Critical | 24 hours | 7 days | After fix |
| High | 48 hours | 14 days | After fix |
| Medium | 1 week | 30 days | After fix |
| Low | 2 weeks | 90 days | With release |
Severity Levels:
- Critical: Remote code execution, arbitrary file access, complete system compromise
- High: DoS, privilege escalation, information disclosure of sensitive data
- Medium: Limited DoS, minor information disclosure, bypassing security features
- Low: Low-impact issues, theoretical vulnerabilities
We follow coordinated disclosure:
- Private Disclosure: You report the vulnerability privately
- Investigation: We confirm and investigate (target: 48-72 hours)
- Development: We develop and test a fix
- Notification: We notify you when fix is ready
- Public Disclosure: We publish advisory after fix is released (or after 90 days, whichever comes first)
We believe in giving credit where it's due:
- Security researchers will be credited in release notes and security advisories (unless you prefer to remain anonymous)
- We may offer recognition on our website/documentation
- For significant vulnerabilities, we may offer rewards (program TBD)
- GitHub Security Advisories: https://github.com/vaislang/vais/security/advisories
- Release Notes: Check CHANGELOG.md for security fixes
- Mailing List: (TBD) Subscribe to security-announce@vais.dev
- Always use the latest version of the Vais compiler
- Enable security checks: Use
vaisc checkwith security warnings - Review dependencies: Run
vaisc pkg auditregularly - Monitor advisories: Subscribe to security notifications
-
Don't compile untrusted code without sandboxing:
# Bad: Compiling untrusted code directly vaisc build untrusted.vais # Better: Use a container or VM docker run --rm -v $(pwd):/work vais:latest vaisc build untrusted.vais
-
Validate import paths:
- Never use user-controlled import paths without validation
- Stick to relative imports within your project
-
Use the security analyzer:
vaisc build --enable-security-analysis main.vais
-
Keep dependencies updated:
vaisc pkg update vaisc pkg audit
- Sign your plugins (when signing is implemented)
- Minimize permissions required
- Validate all inputs from the compiler
- Document security implications of your plugin
-
Sandbox compilation:
- Use containers (Docker, Podman)
- Apply resource limits (CPU, memory, time)
- Disable network access during compilation
-
Limit concurrent compilations:
vaisc build -j 4 # Limit to 4 parallel jobs -
Set timeouts:
- Use process supervisors (systemd, supervisord)
- Apply job timeouts in CI/CD
-
Restrict file system access:
- Read-only mounts for source code
- Separate output directory with size limits
- Path Canonicalization: Import paths are canonicalized to prevent traversal
- FFI Type Validation: FFI boundaries are type-checked for safety
- Memory Safety: Rust-based compiler is memory-safe by default
- Static Analysis: Built-in security analyzer (
vais-securitycrate)
vais-security: Static security analyzer for Vais codevaisc pkg audit: Dependency vulnerability scannervais-supply-chain: Supply chain security tools
Status: Not currently available
We are considering establishing a bug bounty program in the future. Until then, we offer:
- Public recognition and credit
- Direct communication with the development team
- Potential job/collaboration opportunities for significant findings
A: The playground should only be run with proper sandboxing. See security audit report for recommendations. We do NOT recommend running the playground server in production without:
- Containerization (Docker/Podman)
- Resource limits (CPU, memory, timeout)
- Network isolation
- Rate limiting
A: Currently, plugins run with full compiler privileges and can execute arbitrary code. Only load plugins from sources you trust completely. We are working on a permission model for plugins.
A: Contact the package maintainer directly. If the package is in the official registry and the maintainer is unresponsive, you can report to security@vais.dev.
A: We regularly audit our dependencies using cargo audit. If you find a vulnerability in one of our dependencies, please report it to the respective project AND notify us so we can update.
A: Vais is currently in development (0.1.x). While we take security seriously, we recommend:
- Thorough testing before production deployment
- Containerization and sandboxing
- Regular updates
- Security review of your specific use case
Planned security improvements:
- Parser recursion depth limits
- Compilation timeouts
- Playground sandboxing
- Enhanced fuzzing coverage
- Plugin signature verification
- Plugin permission model
- WASM-based plugin sandboxing
- Dependency lock file signing
- Security bug bounty program
- Third-party security audit
- Formal security certification
- Security-focused documentation
- Security Issues: security@vais.dev (or GitHub Security Advisory)
- General Security Questions: GitHub Discussions (tag: security)
- Documentation: docs/SECURITY_AUDIT.md
We thank the security researchers and community members who help keep Vais secure. Notable contributors:
- (This section will be updated as security researchers contribute)
Last Updated: January 31, 2026 Next Review: April 30, 2026