| Version | Supported |
|---|---|
| latest | ✅ |
Security updates are applied only to the latest release.
If you have discovered a security vulnerability in this project, please report it privately. Do not disclose it as a public issue. This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
Please report security vulnerabilities via one of the following methods:
- GitHub Security Advisory: Create a private security advisory
- Email: Contact the GraphScope team at graphscope@alibaba-inc.com
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Initial Response: We aim to acknowledge receipt of your report within 24 hours.
- Investigation: We will investigate and validate the issue within 2 days.
- Resolution: We target to provide a fix within 90 days, depending on complexity.
We follow a coordinated disclosure process:
- Reporter submits vulnerability privately
- We confirm and investigate the issue
- We develop and test a fix
- We release the fix and publish a security advisory
- Reporter may then disclose publicly (after fix is released)
When using NeuG in production:
- Keep NeuG updated to the latest version
- Use appropriate access controls for database files
- Validate and sanitize all user inputs before query execution
- Follow the principle of least privilege for service deployments
We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Contributors who report valid security issues will be acknowledged in release notes (unless they prefer to remain anonymous).