If you discover a security vulnerability in cntryl-stress, please DO NOT open a public GitHub issue. Instead, please report it responsibly by:
- Email: Send details to the maintainers (look for security contact in the repository)
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature:
- Go to the repository
- Click "Security" tab
- Click "Report a vulnerability"
- Fill out the form with details
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Your contact information
We will:
- Acknowledge your report within 48 hours
- Investigate and confirm the vulnerability
- Develop a fix for all affected versions
- Release a patched version
- Credit you in the security advisory (unless you prefer anonymity)
- Input Validation: Ensure benchmark code doesn't execute untrusted code
- File Permissions: Output files are written to
target/stress/- ensure proper permissions - Resource Limits: Long-running benchmarks can consume significant memory/CPU
- Baseline Files: Keep baseline JSON files secure if they contain sensitive benchmark data
We keep dependencies minimal and up-to-date:
- Run
cargo updateregularly - Use
cargo auditto check for known vulnerabilities - Report any dependency vulnerabilities found
| Version | Status | Security Updates |
|---|---|---|
| 0.1.x | Current | Yes - all patches |
| < 0.1.0 | Legacy | No |
Once a fix is available, we will:
- Release a patched version
- Post a security advisory on GitHub
- Credit the reporter (with permission)
- Update this file if needed
- Don't commit secrets or credentials
- Use
git-secretsor similar tools - Review dependencies before adding them
- Follow Rust security guidelines
- Use clippy with
-- -D warnings
- Check this policy first
- Look at existing security advisories
- Contact maintainers privately for security concerns
Last Updated: 2026-02-17