The following versions of Rivulet are currently supported with security updates:
| Version | Supported | End of Support |
|---|---|---|
| 1.3.x | Active development | |
| 1.2.x | ✅ | Until 1.3.0 release |
| 1.1.x | ✅ | Until 1.3.0 release |
| 1.0.x | ✅ | Until 1.3.0 release |
| 1.0.0-alpha | ❌ | No longer supported |
Security patches are provided for the current major.minor version (1.2.x) and the previous two minor versions (1.1.x, 1.0.x).
DO NOT report security vulnerabilities through public GitHub issues.
We use GitHub's private vulnerability reporting feature:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the details (see below for what to include)
Alternative: If private reporting is unavailable, email the maintainers directly via GitHub profile contact methods.
Please provide the following information:
- Type of vulnerability (e.g., DoS, memory corruption, information disclosure, remote code execution)
- Affected versions (e.g., 1.2.0, 1.1.5, all versions)
- Affected components (e.g., Rivulet.Core, Rivulet.Diagnostics)
- Full paths of affected source files (if known)
- Step-by-step reproduction instructions
- Proof-of-concept or exploit code (if possible)
- Impact assessment (what can an attacker do?)
- Suggested fix (if you have one)
| Stage | Timeline |
|---|---|
| Initial acknowledgment | Within 48 hours (2 business days) |
| Preliminary assessment | Within 7 days |
| Status updates | Every 7-14 days until resolved |
| Fix development | 30-90 days (depending on severity) |
| Coordinated disclosure | After fix is released |
We follow the CVSS v3.1 scoring system:
- Critical (9.0-10.0): Immediate action, patch within 7 days
- High (7.0-8.9): High priority, patch within 30 days
- Medium (4.0-6.9): Normal priority, patch within 60 days
- Low (0.1-3.9): Low priority, patch within 90 days
If accepted:
- We'll work with you on coordinated disclosure timing
- You'll be credited in the security advisory (if desired)
- A CVE will be requested for trackable vulnerabilities
- A security patch will be released
- A security advisory will be published
If declined:
- We'll explain why the issue doesn't qualify as a security vulnerability
- Alternative solutions or workarounds may be suggested
- The issue may be converted to a regular bug report (with your permission)
We follow coordinated disclosure:
- We'll work with you to agree on a disclosure date
- Typically 90 days after initial report (adjustable)
- Public disclosure occurs after a fix is released
- Credit is given to the reporter (unless anonymity is requested)
The following are not considered security vulnerabilities:
- DoS via resource exhaustion when using unbounded parallelism (use
MaxDegreeOfParallelism) - Issues in third-party dependencies (report to upstream)
- Issues requiring physical access to the machine
- Social engineering attacks
- Issues in example/sample code (not production code)
When using Rivulet in production:
- Always set
MaxDegreeOfParallelismto prevent resource exhaustion - Use timeouts (
PerItemTimeout) for untrusted operations - Validate inputs before parallel processing
- Enable circuit breakers for external service calls
- Monitor metrics to detect abnormal behavior
- Keep dependencies updated (
dotnet list package --outdated)
Security researchers who have responsibly disclosed vulnerabilities:
None yet - be the first!
If you have questions about this security policy:
- Open a GitHub Discussion
- Contact the maintainers via GitHub profile
Thank you for helping keep Rivulet secure! 🔒