Currently, only the latest version of Robocodec receives security updates.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
If you discover a security vulnerability, please report it responsibly.
Do NOT open a public issue for security vulnerabilities.
Instead, please send an email to: security@archebase.com
Include the following information in your report:
- Description: A clear description of the vulnerability
- Impact: The potential impact of the vulnerability
- Steps to reproduce: Detailed steps to reproduce the issue
- Proof of concept: If applicable, include a proof of concept
- Affected versions: Which versions are affected
- Confirmation: You will receive an email acknowledging receipt of your report
- Assessment: We will assess the vulnerability and determine its severity
- Resolution: We will work on a fix and coordinate disclosure with you
- Disclosure: We will announce the security fix when a patch is available
We aim to respond to security reports within 48 hours and provide regular updates on our progress.
When using Robocodec with untrusted data:
- Validate Input: Always validate data from untrusted sources
- Sandbox: Consider running data processing in sandboxed environments
- Resource Limits: Set appropriate limits on file sizes and processing time
- Keep Updated: Use the latest version to benefit from security fixes
Robocodec includes several security-conscious design choices:
- Memory Safety: Rust provides memory safety guarantees
- Input Validation: Schema validation for decoded messages
- No Arbitrary Code Execution: Schemas are declarative, not executable
We regularly update dependencies to address security vulnerabilities:
- Automatic dependency updates via Dependabot
- Regular security audits of dependencies
- Minimal dependency footprint for attack surface reduction
We follow coordinated disclosure:
- Fix the vulnerability
- Release a new version
- Publish security advisory (if applicable)
- Announce the fix
We do not disclose vulnerability details before a fix is available, unless the vulnerability is already publicly known.