Currently, only the latest major version sequence of the software is formally supported with security updates.
| Version | Supported |
|---|---|
| v0.5.x | ✅ |
| v0.4.x | ✅ |
| v0.3.x | ✅ |
| < 0.3 | ❌ |
If you discover any security-related issues, please do not report them through public GitHub issues. Instead, please email the maintainers at sachncs@gmail.com.
When reporting a vulnerability, please include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if applicable)
| Action | Timeline |
|---|---|
| Acknowledgment of report | Within 48 hours |
| Initial assessment | Within 1 week |
| Regular updates | Weekly until resolved |
| Public disclosure | Coordinated with reporter |
We follow a coordinated disclosure process:
- Report received: We acknowledge receipt and begin investigation
- Assessment: We evaluate the severity and impact
- Fix development: We develop and test a fix
- Release: We release a patch version
- Disclosure: We publish a security advisory after users have had time to update
We request that reporters:
- Allow reasonable time for a fix before public disclosure
- Avoid exploiting the vulnerability beyond what is necessary to demonstrate it
- Act in good faith to avoid privacy violations and data destruction
- Keep
factoriseupdated to the latest version - Use virtual environments to isolate dependencies
- Review dependency updates via Dependabot alerts
- Audit dependencies regularly:
pip-audit
- Never commit secrets, API keys, or credentials
- Use environment variables for configuration
- Validate all external inputs (especially for GNFS adapter)
- Run
just securitybefore submitting PRs - Review code for potential injection vulnerabilities
This project has zero runtime dependencies, which significantly reduces the attack surface. All algorithms are implemented from scratch using only the Python standard library.
Development dependencies are pinned to minimum versions and audited via:
pip-auditfor known vulnerabilities- Dependabot for automated dependency updates
- CycloneDX SBOM generation for supply chain transparency
- Input validation: All public API entry points validate integer inputs
- Timeout controls: GNFS adapter enforces configurable timeouts
- No shell injection: External tool inputs are sanitized; no
os.system()usage - Deterministic builds: Reproducible builds via
SOURCE_DATE_EPOCH - Signed releases: Published via OIDC trusted publishing to PyPI
- SBOM: CycloneDX Software Bill of Materials generated for each release
- Checksums: SHA256 integrity files for all distribution artifacts