We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.0.x | ❌ |
We take the security of Advanced C# Concepts seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Email: [email protected]
- Subject: [SECURITY] Brief description of the issue
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Acknowledgment: We will send you an acknowledgment within 48 hours.
- Communication: We will keep you informed of the progress towards a fix and full announcement.
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous).
- Triage: We will assess the vulnerability and determine its severity.
- Fix Development: We will develop a fix in a private repository.
- Testing: The fix will be thoroughly tested.
- Release: We will release a security patch.
- Disclosure: We will publicly disclose the vulnerability after the patch is released.
When using this project:
- Keep Dependencies Updated: Regularly update to the latest version.
- Code Review: Review any code before running in production.
- Input Validation: Always validate user input in your applications.
- Principle of Least Privilege: Run applications with minimal required permissions.
- Benchmarks should only be run in trusted environments.
- Benchmark data may consume significant system resources.
- Ensure proper synchronization when using parallel processing examples in production.
- Be aware of thread safety implications.
- Span<T> examples use stack allocation - ensure adequate stack size.
- ArrayPool<T> buffers must be returned to avoid memory leaks.
We use the following tools to maintain security:
- Dependabot: Automated dependency updates
- CodeQL: Static code analysis
- dotnet format: Code quality checks
- Unit Tests: 100% critical path coverage
This security policy may be updated from time to time. Please check back regularly for updates.
Last Updated: 2025-01-16