We actively support the following versions with security updates:

• Current major version (1.x): Full security support
• Previous major version: Security fixes for 6 months after new major release
• Pre-release versions: No security support (upgrade to stable release)

Mebo is a data format library that processes time-series data. Security considerations:

• Go's Memory Safety: Protected by Go's memory management and bounds checking
• Buffer Overflows: Not possible due to Go's runtime safety guarantees
• Integer Overflows: We use safe arithmetic and check for overflow conditions in critical paths

• Malformed Data: Decoders validate input data structure before processing
• Resource Exhaustion: Decoders check for reasonable sizes to prevent memory exhaustion
• Hash Collisions: We use xxHash64 (64-bit) which has astronomically low collision probability

• Processing trusted data from your own systems
• Internal time-series data pipelines
• Data storage for monitoring systems
• Performance benchmarking and testing

• Untrusted Data Sources: If processing data from untrusted sources:

  • Implement size limits on input data
  • Use timeouts for decoding operations
  • Validate data origin and integrity (use checksums/signatures)
  • Consider sandboxing decoders

• Public-Facing Services: If exposing Mebo in public APIs:

  • Enforce rate limiting
  • Implement request size limits
  • Add input sanitization layers
  • Monitor resource usage

• Encryption: Mebo does not encrypt data (use TLS/encryption at transport/storage layer)
• Authentication: No authentication mechanism (implement at application layer)
• Digital Signatures: No data signing (use external signing if needed)
• Access Control: No authorization (implement at application layer)

• Memory: Decoding allocates memory proportional to output size
• CPU: Compression codecs can be CPU-intensive
• Decompression Bombs: Highly compressed malicious data could expand to large size
  • Mitigation: Implement max output size limits in your application

Report security vulnerabilities if you discover:

• Memory safety issues (buffer overflows, use-after-free, etc.)
• Denial of service vulnerabilities
• Resource exhaustion attacks
• Integer overflow leading to incorrect behavior
• Panic conditions that crash the application
• Compression bomb vulnerabilities

These are not security issues:

• Feature requests
• Performance issues (unless DoS-related)
• Compatibility problems
• Documentation issues
• General bugs that don't have security implications

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities via:

1. Go to: https://github.com/arloliu/mebo/security/advisories
2. Click "Report a vulnerability"
3. Fill out the form with:
   • Description of the vulnerability
   • Steps to reproduce
   • Affected versions
   • Potential impact
   • Suggested fix (if known)

If you cannot use GitHub Security Advisories:

• Email: [security@arlolib.dev] (Replace with actual security email)
• Subject: [SECURITY] Mebo Vulnerability Report
• Use encrypted email if possible (PGP key: [link to PGP key])

Please provide:

1. Description: Clear explanation of the vulnerability
2. Steps to Reproduce:

   // Example code demonstrating the issue
   encoder := NewEncoder()
   // ... steps that trigger vulnerability

3. Impact: What an attacker could do with this vulnerability
4. Affected Versions: Which versions are affected
5. Proof of Concept: Minimal code to demonstrate the issue
6. Suggested Fix: If you have ideas for fixing it

Vulnerability: Decoder Panic on Malformed Input

Description:
The NumericDecoder panics when processing specially crafted input
with invalid header flags, causing service crashes.

Steps to Reproduce:
1. Create malformed blob with invalid flag combination (0xFF)
2. Call decoder.Decode(malformedData)
3. Application crashes with panic

Impact:
- Denial of service for applications processing untrusted data
- Service crashes requiring restart

Affected Versions:
- v1.0.0 through v1.2.3

Proof of Concept:
[Attached: poc.go]

Suggested Fix:
Add flag validation in parseHeader() before processing.

• Remote code execution
• Arbitrary memory corruption
• Response: Fix within 48 hours, emergency release

• Denial of service attacks
• Significant resource exhaustion
• Response: Fix within 1 week, expedited release

• Local denial of service
• Minor information disclosure
• Response: Fix in next minor release (2-4 weeks)

• Edge case issues
• Theoretical vulnerabilities
• Response: Fix in next scheduled release

✅ We will:

• Acknowledge your report within 48 hours
• Keep you informed of progress
• Credit you in the security advisory (unless you prefer anonymity)
• Coordinate disclosure timing with you
• Release a fix as quickly as possible

❌ We will not:

• Ignore your report
• Discourage responsible disclosure
• Take legal action against good-faith researchers

Published security advisories are available at:

• GitHub Security Advisories: https://github.com/arloliu/mebo/security/advisories
• CHANGELOG.md: Security fixes are documented in version history

If you're using Mebo in production:

# Check for updates
go list -m -u github.com/arloliu/mebo

# Update to latest patch version
go get -u=patch github.com/arloliu/mebo

# Update to latest version (test thoroughly first)
go get -u github.com/arloliu/mebo

const maxBlobSize = 10 * 1024 * 1024 // 10 MB

func decodeBlob(data []byte) error {
    if len(data) > maxBlobSize {
        return fmt.Errorf("blob too large: %d bytes", len(data))
    }

    decoder := blob.NewNumericDecoder()
    return decoder.Decode(data)
}

func decodeWithTimeout(data []byte, timeout time.Duration) error {
    ctx, cancel := context.WithTimeout(context.Background(), timeout)
    defer cancel()

    done := make(chan error, 1)
    go func() {
        decoder := blob.NewNumericDecoder()
        done <- decoder.Decode(data)
    }()

    select {
    case err := <-done:
        return err
    case <-ctx.Done():
        return fmt.Errorf("decode timeout exceeded")
    }
}

• Set memory limits for processes using Mebo
• Monitor CPU usage during compression/decompression
• Log and alert on unusual resource consumption

func processBlob(data []byte, trustedSource bool) error {
    if !trustedSource {
        // Extra validation for untrusted data
        if len(data) < 10 || len(data) > maxSize {
            return fmt.Errorf("invalid blob size")
        }

        // Verify checksum/signature if available
        if !verifyIntegrity(data) {
            return fmt.Errorf("integrity check failed")
        }
    }

    return decodeBlob(data)
}

Mebo depends on:

• cespare/xxhash: For hash computation
• klauspost/compress: For compression codecs (zstd, s2)
• pierrec/lz4: For LZ4 compression

We monitor these dependencies for security issues and update them promptly.

Use govulncheck to scan for known vulnerabilities:

# Install govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest

# Scan project
govulncheck ./...

We run govulncheck in CI and will address any discovered vulnerabilities promptly.

We follow coordinated disclosure:

1. Private Reporting: Researchers report vulnerabilities privately
2. Fix Development: We develop and test a fix (kept private)
3. Coordinated Release: We coordinate release timing with reporter
4. Public Disclosure: Advisory published after patch is available
5. Credit: Researcher credited (unless they prefer anonymity)

• Standard: 90 days from report to public disclosure
• Can be extended: If fix is complex or affects many systems
• Can be accelerated: If vulnerability is actively exploited

We support security research and will not pursue legal action against researchers who:

• Report vulnerabilities responsibly through proper channels
• Do not exploit vulnerabilities beyond what's needed for proof of concept
• Do not access or modify data beyond what's needed for research
• Give us reasonable time to fix issues before public disclosure

We will recognize security researchers who responsibly disclose vulnerabilities:

Thank you for helping keep Mebo secure! 🔒

For security-related questions:

• Vulnerabilities: Use GitHub Security Advisories or security email
• General security questions: Open a GitHub Discussion
• Implementation guidance: See documentation or ask in Discussions

Last Updated: 2025-01-XX (Update with actual date at release)