We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in C Lumen, please report it responsibly:
- DO NOT create a public issue
- Email security details to: security@c-lumen.dev
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and provide regular updates on our progress.
C Lumen implements several Unicode security measures:
- All input is normalized to Unicode NFC form
- Prevents canonicalization attacks
- Ensures consistent processing
- Rejects Unicode bidi overrides (
\u202A-\u202E,\u2066-\u2069) - Prevents text direction attacks
- Fails fast on suspicious input
- Detects visually similar characters
- Warns about potential spoofing attacks
- Optional
--allow-mixed-scriptfor controlled environments
- File Type Validation: Only processes
.clumen.cand.clumen.cppfiles - Encoding Validation: Ensures UTF-8 input
- Size Limits: Reasonable limits on file size and token count
- Path Validation: Prevents directory traversal attacks
- Deterministic Output: Same input always produces same output
- Source Maps: Enable precise error reporting without exposing internals
- No Code Execution: Never executes user code
- Sandboxed Processing: Isolated tokenization and mapping
-
Unicode Attacks
- Canonicalization attacks
- Bidirectional text attacks
- Confusable character attacks
-
Input Validation Attacks
- Malformed input handling
- Path traversal attempts
- Resource exhaustion
-
Output Integrity
- Deterministic processing
- Source map accuracy
- No information leakage
-
Compilation Security
- C Lumen only translates keywords
- Compiler security is outside our scope
- Use secure coding practices
-
Runtime Security
- Generated code security depends on developer practices
- Memory safety is compiler/runtime responsibility
-
Build System Security
- CMake integration security
- CI/CD pipeline security
-
Validate Inputs
# Always validate file types clumen apply --lang es --in file.clumen.c --out file.c -
Use Source Maps
# Generate source maps for debugging clumen apply --lang es --in file.clumen.c --out file.c --sourcemap file.map.json -
Enable Confusable Detection
# Use strict mode (default) clumen apply --lang es --in file.clumen.c --out file.c # Only allow mixed scripts when necessary clumen apply --lang es --in file.clumen.c --out file.c --allow-mixed-script
-
Verify Output
# Always verify translations clumen verify --ci -
Use Canonical Sources
- Only compile canonical
.c/.cppfiles - Never commit localized source files
- Use source maps for debugging
- Only compile canonical
Security updates are released as soon as possible after discovery and fix. We follow this process:
-
Immediate Response (0-24 hours)
- Acknowledge vulnerability report
- Assess severity and impact
- Begin investigation
-
Fix Development (1-7 days)
- Develop and test fix
- Coordinate with security team
- Prepare release
-
Release (1-14 days)
- Release security update
- Notify users via GitHub security advisories
- Update documentation
C Lumen undergoes regular security audits:
- Code Review: All changes reviewed for security implications
- Dependency Scanning: Regular updates of security-critical dependencies
- Penetration Testing: Periodic security testing
- Third-Party Audits: External security reviews
- Security Issues: security@c-lumen.dev
- General Questions: Open a GitHub issue
- Public Discussion: GitHub Discussions
We thank the security researchers who help keep C Lumen secure through responsible disclosure.