If you discover a security vulnerability in this project, please report it responsibly. Do not open a public GitHub issue.

1. GitHub Private Vulnerability Reporting (Preferred)

   • Go to the Security Advisories page
   • Click "Report a vulnerability"
   • Fill in the details and submit

2. Email

   • Send an email to saifasifmirza@gmail.com
   • Include [SECURITY] in the subject line
   • Provide as much detail as possible (see below)

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce or a proof-of-concept
• Affected version(s)
• Impact assessment (what an attacker could do)
• Suggested fix (if you have one)

• Acknowledgment within 48 hours of your report
• Initial assessment within 7 days
• We will work with you to understand and validate the issue
• A fix will be developed privately and released as a patch version
• You will be credited in the release notes (unless you prefer anonymity)

• Please allow us a reasonable amount of time to address the issue before public disclosure
• We aim to release a fix within 30 days of a confirmed vulnerability
• We will coordinate with you on the disclosure timeline
• We follow responsible disclosure practices

When using CQEngine in your projects:

• Keep dependencies updated — Always use the latest patch version
• Validate serialized data — If using disk/off-heap persistence with KryoSerializer, be aware that deserialization of untrusted data can be dangerous
• Restrict file permissions — When using DiskPersistence or SQLitePersistence, ensure database files have appropriate filesystem permissions
• Use parameterized queries — When using the SQL/CQN string-based query parsers, avoid constructing queries from untrusted user input to prevent injection

This project monitors dependencies for known CVEs. If a vulnerability is found in a transitive dependency, we will release a patch version with the updated dependency as soon as possible.

Current key dependencies and their security posture:

Last audited: March 2026