We actively support the following versions of Fennel with security updates:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.3.x | ❌ |
| < 1.3 | ❌ |
We take the security of Fennel seriously. If you discover a security vulnerability, please follow these steps:
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Email: Send details to stephan.meighenberger@gmail.com
- Private Security Advisory: Use GitHub's private vulnerability reporting
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
- Initial Response: We will acknowledge your report within 48 hours
- Status Update: We will provide a detailed response within 7 days indicating next steps
- Fix Timeline: We aim to release a fix within 30 days for critical vulnerabilities
- Disclosure: We will coordinate with you on public disclosure timing
After reporting a vulnerability:
- We will confirm receipt of your report
- We will investigate and validate the vulnerability
- We will develop and test a fix
- We will release a security patch
- We will publicly disclose the vulnerability (with credit to you, if desired)
When using Fennel:
- Always use the latest version
- Keep dependencies up to date
- Follow secure coding practices when integrating Fennel
- Validate all user inputs before passing to Fennel functions
- Run Fennel in a sandboxed environment when processing untrusted data
Fennel is primarily a scientific computing library. However, be aware:
- Input Validation: While v2.0+ includes comprehensive input validation, always validate data from untrusted sources
- Resource Usage: Large energy values or extensive wavelength arrays can consume significant memory
- File Operations: Fennel reads parametrization data from pickle files - ensure these files are from trusted sources
Security updates will be:
- Released as patch versions (e.g., 2.0.1)
- Documented in CHANGELOG.md
- Announced in GitHub releases
- Tagged with the
securitylabel
For any security concerns, contact:
- Email: stephan.meighenberger@gmail.com
- GitHub: @MeighenBergerS
Thank you for helping keep Fennel and its users safe!