| Version | Supported |
|---|---|
| 0.4.x | Yes |
| < 0.4 | No |
Caution
Do NOT open public GitHub issues for security vulnerabilities.
To report a security vulnerability:
- Open a private security advisory via GitHub (Settings → Security → Advisories)
- Or email the maintainers directly
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
We will respond within 48 hours.
- No
unsafecode — Entire codebase is safe Rust - Path traversal prevention — All file operations are validated
- Input validation — All TOML parsing with size limits
- Local-only data — No network, no telemetry, no cloud sync
- Secure defaults — Restrictive file permissions
| Protection | Implementation |
|---|---|
| Path traversal | Canonical path validation |
| Content limits | Max file size, scenario count limits |
| Input sanitization | All user input validated |
| Error handling | No sensitive data in errors |
| Dependencies | Regular cargo audit checks |
- Only load scenarios from trusted sources
- Run with standard user privileges (never as root)
- Verify downloads via SHA256 checksums
- Keep updated — use latest release
chmod 755 helix-trainer
chmod 700 ~/.config/helix-trainer/Important
All code must pass cargo clippy -- -D warnings and cargo audit.
Requirements:
- Validate all user input
- Sanitize file paths
- Use
?operator instead of.unwrap() - Add security tests for new features
- No secrets in commits
- Scenario Files — TOML files are parsed from restricted directories only
- Terminal I/O — Raw mode requires terminal access
- User Data — Stored unencrypted in
~/.config/helix-trainer/
Every PR runs:
cargo clippy -- -D warningscargo deny check(license and vulnerability audit)- All tests must pass