Skip to content

Security: EastAgile/readstat-rs

Security

SECURITY.md

Security Policy

Supported Versions

readstat-rs is pre-1.0. Security fixes are applied to the latest published version of each crate (readstat, readstat-cli, readstat-sys, readstat-iconv-sys). Older versions are not maintained — please upgrade to the latest release before reporting an issue.

Reporting a Vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Instead, report privately using GitHub's private vulnerability reporting on this repository (the Security tab → Report a vulnerability).

When reporting, please include:

  • The affected crate and version.
  • A description of the vulnerability and its impact.
  • Steps to reproduce, ideally with a minimal .sas7bdat sample or test case.

You can expect an initial acknowledgement within a few days. Once a fix is available, a patched release will be published to crates.io and a GitHub Security Advisory issued.

Scope and Context

readstat-rs parses untrusted binary input (.sas7bdat files) through FFI bindings to the ReadStat C library. Memory-safety is therefore a primary concern. The project runs automated memory-safety checks in CI (Miri, and AddressSanitizer on Linux, macOS, and Windows) plus a weekly fuzzing harness; Valgrind is run manually. See docs/MEMORY-SAFETY.md and docs/TESTING.md.

Vulnerabilities that originate in the upstream ReadStat C library may be forwarded to the ReadStat project in addition to being addressed here where feasible.

There aren't any published security advisories