# Security Policy
## Reporting Security Vulnerabilities
The Semantic Data Charter team takes security seriously. We appreciate your efforts to responsibly disclose security vulnerabilities.
### How to Report
**Please do NOT report security vulnerabilities through public GitHub issues.**
Instead, please report security vulnerabilities by email to:
**security@axius-sdc.com**
### What to Include
When reporting a security vulnerability, please include:
1. **Description**: A clear description of the vulnerability
2. **Impact**: The potential impact and severity
3. **Reproduction**: Step-by-step instructions to reproduce the issue
4. **Affected Versions**: Which versions are affected
5. **Proof of Concept**: Example code or commands (if applicable)
6. **Suggested Fix**: Proposed solution (if you have one)
### Response Timeline
- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Fix Timeline**: Varies by severity (see below)
## Severity Levels
### Critical (Fix within 7 days)
- Remote code execution
- Authentication bypass
- Data leakage of sensitive information
- Privilege escalation
### High (Fix within 30 days)
- Denial of service attacks
- Significant data integrity issues
- Cross-site scripting (XSS) vulnerabilities
- SQL injection or XML injection
### Medium (Fix within 90 days)
- Information disclosure (non-sensitive)
- Security misconfigurations
- Moderate availability issues
### Low (Fix in next release)
- Minor information leaks
- Non-exploitable issues
- Best practice violations
## Supported Versions
| 4.x | :white_check_mark: |
| < 4.0 | :x: |
**Note**: This project is currently in the planning phase. Security support will begin with the first release.
## Security Best Practices
### For Users
When using sdcvalidatorRust:
1. **Keep Updated**: Always use the latest stable version
2. **Validate Input**: Never trust XML from untrusted sources without validation
3. **Resource Limits**: Set appropriate memory and CPU limits
4. **Schema Validation**: Carefully review XSD schemas from external sources
5. **Error Handling**: Don't expose detailed error messages to end users
### For Developers
When contributing to sdcvalidatorRust:
1. **Input Validation**: Validate all external input
2. **Resource Management**: Prevent resource exhaustion (memory, CPU, file handles)
3. **Error Handling**: Don't leak sensitive information in errors
4. **Dependencies**: Keep dependencies updated and minimal
5. **Code Review**: All code changes require review before merging
## Known Security Considerations
### XML External Entity (XXE) Attacks
The validator will implement protections against XXE attacks:
- Disable external entity processing by default
- Provide secure configuration options
- Document secure usage patterns
### Denial of Service (DoS)
Protections against DoS attacks:
- Limit document size
- Limit parsing depth
- Timeout mechanisms
- Memory usage limits
### Billion Laughs Attack
Protections against entity expansion attacks:
- Limit entity expansion depth
- Track entity expansion ratio
- Configurable expansion limits
### Schema Injection
Protections against malicious schemas:
- Schema validation before use
- Resource limits during schema compilation
- Safe schema composition
## Security Testing
We employ multiple layers of security testing:
1. **Static Analysis**: Using `cargo clippy` and `cargo audit`
2. **Dependency Scanning**: Regular checks for vulnerable dependencies
3. **Fuzzing**: Continuous fuzzing of parser and validator
4. **Penetration Testing**: Regular security assessments
5. **Code Review**: All changes reviewed for security implications
## Vulnerability Disclosure
When a vulnerability is confirmed:
1. We develop and test a fix
2. We prepare a security advisory
3. We notify affected users (if applicable)
4. We publish the fix and advisory simultaneously
5. We credit the reporter (unless anonymity is requested)
## Security Advisories
Security advisories will be published at:
- [GitHub Security Advisories](https://github.com/SemanticDataCharter/sdcvalidatorRust/security/advisories)
- Project documentation
- Release notes
Subscribe to repository notifications to receive security updates.
## Scope
### In Scope
- XML parsing vulnerabilities
- Schema validation bypasses
- Resource exhaustion attacks
- Data injection vulnerabilities
- Authentication/authorization issues (if applicable)
- Cryptographic vulnerabilities (if applicable)
### Out of Scope
- Vulnerabilities in dependencies (report to upstream)
- Social engineering attacks
- Physical security
- Issues in EOL versions
- Theoretical vulnerabilities without practical exploit
## Recognition
We maintain a security hall of fame recognizing security researchers who have responsibly disclosed vulnerabilities. With your permission, we'll credit you in:
- CHANGELOG.md
- Security advisories
- Release notes
If you prefer to remain anonymous, please let us know.
## Compliance
This project aims to comply with:
- OWASP Top 10
- CWE/SANS Top 25
- NIST Cybersecurity Framework
- Healthcare data security standards (HIPAA considerations)
## Security Updates
To receive security updates:
1. Watch this repository for security advisories
2. Subscribe to GitHub notifications
3. Follow release notes and CHANGELOG.md
4. Monitor the project mailing list (if available)
## Questions
For security-related questions that are not vulnerabilities:
- Open a GitHub discussion with the `security` label
- Email security@axius-sdc.com
## Responsible Disclosure
We practice responsible disclosure:
1. We notify affected parties before public disclosure
2. We provide adequate time for users to upgrade
3. We coordinate with other affected projects
4. We publish detailed advisories after fixes are available
## Legal
We will not pursue legal action against security researchers who:
- Report vulnerabilities responsibly
- Act in good faith
- Do not exploit vulnerabilities beyond proof of concept
- Do not access or modify data without authorization
- Follow this security policy
Thank you for helping keep sdcvalidatorRust and its users safe!