| Version | Supported |
|---|---|
| 0.1.x | ✅ Current |
If you discover a security vulnerability in Plumbum, do not open a public issue.
Instead, please report it privately:
- Use GitHub Security Advisories to report the vulnerability directly.
- Alternatively, email the maintainer with details.
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 7 days
- Fix or mitigation: within 30 days for confirmed vulnerabilities
Plumbum processes untrusted network data (PCAP files, Zeek logs). The following are in scope:
- Memory safety issues in the PCAP/DNS wire-format parser
- SQLite injection via crafted DNS records
- Denial of service via malformed input
- Path traversal in export or init commands
- Vulnerabilities in upstream dependencies (report those upstream)
- Issues requiring physical access to the machine
- Social engineering
- No
unsafeblocks in application code - No external parsing dependencies — all wire-format parsing is hand-written with bounds checking
- SQLite parameterized queries throughout — no string interpolation in SQL
- Input validation before persistence
- WAL mode with foreign key enforcement