Skip to content

Security: helixlang/helix-lang

.github/SECURITY.md

Helix Security Policy


Table of Contents


Supported Versions

Helix supports and provides security updates for the following versions:

  • Latest Version: The most recent stable release of Helix.
  • Previous Version: The release immediately preceding the latest version.

Security updates for older versions may be provided on a case-by-case basis, depending on the severity of the issue and the feasibility of applying a fix to the older codebase.

Version Numbering

Helix compiler uses semantic versioning for its releases. The version number is formatted as MAJOR.MINOR.PATCH, where:

  • MAJOR: Incremented for incompatible API changes.
  • MINOR: Incremented for new features that are backward-compatible.
  • PATCH: Incremented for backward-compatible bug fixes.

We recommend always using the latest stable release to ensure you have the latest features and security updates.

Reporting a Vulnerability

At Helix, we take security issues seriously. If you discover a security vulnerability, we appreciate your efforts to responsibly disclose the details to us. Please follow the guidelines below to ensure a smooth and secure disclosure process.

Contact Information

Please report security vulnerabilities to our dedicated security team at:

Guidelines for Reporting

  1. Provide a Detailed Description:

    • Include a detailed description of the vulnerability.
    • Explain the potential impact and severity of the issue.
    • Provide any relevant code, logs, or other information that can help reproduce and understand the issue.
  2. Steps to Reproduce:

    • Include clear, step-by-step instructions to reproduce the vulnerability.
    • Provide any necessary scripts, files, or tools needed to replicate the issue.
  3. Proof of Concept:

    • If possible, include a proof-of-concept (PoC) demonstrating the vulnerability.
    • Explain how the PoC works and what it aims to demonstrate.
  4. Mitigation and Remediation Suggestions:

    • If you have any suggestions for mitigating or fixing the vulnerability, please include them.

Response Process

  1. Acknowledgment:

    • We will acknowledge receipt of your vulnerability report within 2 business days.
  2. Investigation:

    • Our security team will investigate the reported issue.
    • We may contact you for additional information or clarification during the investigation.
  3. Assessment:

    • We will assess the severity and impact of the vulnerability.
    • We will prioritize the issue based on its severity and potential impact.
  4. Fix Development:

    • Our development team will work on a fix for the vulnerability.
    • We will keep you informed of our progress and provide an estimated timeline for the release of the fix.
  5. Release and Notification:

    • We will release the fix as soon as it is ready and thoroughly tested.
    • We will notify you when the fix is released and provide credit for your responsible disclosure, if desired.

Responsible Disclosure

We encourage responsible disclosure of security vulnerabilities. We request that you:

  • Do Not Publicly Disclose: Do not publicly disclose the vulnerability until we have had a reasonable amount of time to investigate and address the issue.
  • Collaborate: Work with us to resolve the issue quickly and effectively.
  • Respect Privacy: Respect user privacy and data protection regulations.

Security Best Practices

While we strive to maintain the highest security standards, we also encourage our users and contributors to follow security best practices:

  • Keep Dependencies Up-to-Date: Regularly update all dependencies to the latest versions to mitigate known vulnerabilities.
  • Use Strong Passwords: Use strong, unique passwords for all accounts.
  • Enable Two-Factor Authentication: Enable two-factor authentication (2FA) for additional security.
  • Regularly Back Up Data: Regularly back up your data and verify the integrity of your backups.
  • Monitor for Suspicious Activity: Monitor your systems for any unusual or suspicious activity.

Acknowledgements

We thank all security researchers and community members who help us maintain the security and integrity of Helix. Your efforts are invaluable in keeping our project safe and secure.


Thank you for helping us improve the security of Helix. Your responsible disclosure and collaboration are greatly appreciated.

For any further questions or concerns regarding our security policy, please contact us at security@helix-lang.com.

There aren’t any published security advisories