vyre is the conformance prover for Santh's security infrastructure. A silent-wrong vulnerability in vyre could affect every downstream tool in the Santh ecosystem at internet scale.
If you discover a security vulnerability:
- DO NOT file a public GitHub issue.
- Email: security@santh.dev (PGP key below).
- Expect initial response within 72 hours.
- Expect disclosure coordination per the 90-day policy.
| Version | Supported |
|---|---|
| 0.4.x alpha | yes (all patches receive security fixes) |
| 0.3.x and earlier | no |
- False pass in certify() - a backend that should fail passes.
- Source code injection via TOML rule parser.
- Sandbox escape in reference interpreter.
- Any undefined behavior in the IR that allows arbitrary memory access via a published op.
- Missing conformance check that lets a known-bad backend pass.
- Resource exhaustion in the conformance suite (single input causing OOM/DoS).
- Cat B tripwire bypass (a forbidden pattern escapes detection).
- Documentation that instructs readers into insecure patterns.
- Dependency with a known CVE (updated per Cargo.lock schedule).
- Day 0: report received, triage begins.
- Day 3: initial classification shared with reporter.
- Day 14: fix in progress, CVE requested if applicable.
- Day 90: public disclosure + patch release (coordinated with reporter).
If the reporter wants to disclose earlier, we can coordinate.
Reporters are credited in CHANGELOG.md and the GitHub security advisory unless they request anonymity.
(Placeholder - will be added before 1.0 release. For 0.4 alpha, use plain email.)