Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in pickle-fuzzer, please report it to:

Email: security@cisco.com

When reporting a vulnerability, please include:

• Description: Clear explanation of the vulnerability
• Impact: Potential security impact and affected versions
• Steps to Reproduce: Detailed steps to reproduce the issue
• Proof of Concept: Code or commands demonstrating the vulnerability (if applicable)
• Suggested Fix: Proposed solution or mitigation (if you have one)
• Your Contact Information: For follow-up questions

• Initial Response: Within 5 business days
• Status Updates: Every 7 days until resolved
• Disclosure: Coordinated with reporter after fix is available

1. Vulnerability is reported and acknowledged
2. Issue is validated and severity assessed
3. Fix is developed and tested
4. Security advisory is prepared
5. Fix is released with advisory
6. Public disclosure (coordinated with reporter)

We recommend always using the latest version for the most up-to-date security fixes.

pickle-fuzzer is a security testing tool that generates pickle bytecode for fuzzing and testing purposes. By design, it creates potentially malicious pickle data.

• DO NOT use generated pickles in production systems
• DO NOT unpickle generated data without proper sandboxing
• DO use in isolated testing environments only
• DO follow responsible disclosure for vulnerabilities found using this tool
• DO ensure you have authorization before testing third-party systems

• Generated pickles may trigger security scanners (this is expected)
• Some generated pickles may cause resource exhaustion in parsers
• Mutation features can produce invalid or malformed pickles intentionally

If you discover vulnerabilities in other projects using pickle-fuzzer:

1. Report to the affected project's security team first
2. Allow reasonable time for fixes (typically 90 days)
3. Coordinate public disclosure with the affected project
4. Credit researchers appropriately

When using pickle-fuzzer for security research:

• Isolate: Run in containers or VMs
• Monitor: Watch for resource exhaustion
• Document: Keep records of findings
• Coordinate: Work with affected vendors
• Respect: Follow responsible disclosure practices

For security-related questions or concerns:

• Email: security@cisco.com
• PGP Key: Available upon request

For general questions, use GitHub Issues.

Thank you for helping keep pickle-fuzzer and its users safe!