We take security seriously and provide security updates for the following versions:

Bunsenite provides the following security guarantees:

• Zero unsafe blocks: Enforced by #![deny(unsafe_code)] compiler directive
• Rust ownership model: Prevents use-after-free, double-free, and memory leaks
• No null pointer dereferences: Rust's type system eliminates this class of bugs
• Bounds checking: All array/vector accesses are bounds-checked

• Compile-time guarantees: Type errors are caught before runtime
• No implicit conversions: Explicit type conversions required
• Strong typing: Prevents type confusion vulnerabilities

• Minimal dependencies: Only essential, well-audited crates
• No network dependencies: Offline-first design eliminates network attack surface
• Pinned versions: Dependencies locked to specific versions for reproducibility
• Regular audits: Dependencies audited using cargo audit

• Reproducible builds: Nix flake provides bit-for-bit reproducibility
• Signed releases: All releases are cryptographically signed (planned)
• Transparent development: All changes tracked in public Git repository
• SBOM generation: Software Bill of Materials available (planned)

Please do NOT report security vulnerabilities through public GitHub/GitLab issues.

Report security vulnerabilities via:

1. GitHub Security Advisories: Create a new security advisory (preferred)
2. GitLab Confidential Issue: Use GitLab's confidential issue feature

Please include:

• Description: Clear description of the vulnerability
• Impact: What an attacker could achieve
• Reproduction: Step-by-step instructions to reproduce
• Affected versions: Which versions are affected
• Proposed fix: If you have one (optional)
• Disclosure timeline: Your preferred disclosure timeline

• Initial response: Within 48 hours
• Triage: Within 1 week
• Fix development: Depends on severity (critical: days, low: weeks)
• Public disclosure: Coordinated with reporter, typically 90 days after fix

We use the following severity classifications:

• Remote code execution
• Privilege escalation to admin/root
• Authentication bypass

Response: Patch within 48 hours, immediate release

• SQL injection (not applicable to Bunsenite)
• Information disclosure of sensitive data
• Denial of service affecting availability

Response: Patch within 1 week, expedited release

• Cross-site scripting (XSS) (browser/WASM context)
• Information disclosure of non-sensitive data
• Low-impact denial of service

Response: Patch within 2 weeks, next regular release

• Minor information leaks
• Best practice violations
• Theoretical attacks with no known exploit

Response: Patch within 30 days, next regular release

1. Keep updated: Always use the latest stable version
2. Verify signatures: Check release signatures (when available)
3. Audit dependencies: Run cargo audit regularly
4. Minimal permissions: Run with least privilege necessary
5. Air-gapped environments: Bunsenite works offline by design

1. No unsafe code: Never use unsafe blocks (enforced by compiler)
2. Input validation: Validate all external input
3. Error handling: Use Result types, avoid unwrap() in library code
4. Dependency review: Review new dependencies carefully
5. Security testing: Include security tests in test suite

1. Nickel evaluation: Bunsenite evaluates Nickel code, which could contain:

   • Infinite loops (resource exhaustion)
   • Large memory allocations
   • Consider: Run evaluation in sandboxed environment for untrusted input

2. File I/O: File reading follows OS permissions

   • Does NOT escalate privileges
   • Respects filesystem boundaries

3. WASM sandbox: Browser WASM runs in sandbox, but:

   • Subject to browser security model
   • Can consume memory/CPU (denial of service)

We provide:

• Timeouts: (Planned) Configurable evaluation timeouts
• Memory limits: (Planned) Configurable memory limits for evaluation
• Resource monitoring: (Planned) Track resource usage

Bunsenite does NOT implement cryptography. For cryptographic needs:

• Use established libraries (e.g., ring, sodiumoxide)
• Never roll your own crypto
• Follow NIST/IETF recommendations

• OWASP Top 10: N/A (not a web application)
• CWE Top 25: Memory safety issues prevented by Rust
• GDPR: No personal data collection
• CCPA: No personal data collection

We use:

• cargo audit: Check for known vulnerabilities in dependencies
• cargo clippy: Lint for security anti-patterns
• cargo deny: Check licenses and security advisories
• GitLab Security Scanner: Automated SAST in CI/CD
• Dependabot: (Planned) Automated dependency updates

• GitHub Security Advisories: Report a vulnerability
• Security.txt: See .well-known/security.txt (RFC 9116 compliant)

We believe in responsible disclosure and will credit security researchers who:

• Report vulnerabilities responsibly
• Allow coordinated disclosure
• Follow our security policy

Credits will be listed in:

• CHANGELOG.md
• Release notes
• SECURITY.md (this file)

Security research conducted in good faith will not result in legal action, provided:

• You respect our disclosure timeline
• You do not exploit vulnerabilities beyond proof-of-concept
• You do not access user data or disrupt service
• You comply with applicable laws

We support security researchers and the white-hat community.

Last updated: 2025-12-18 Version: 1.0.2