Security updates are provided for the following versions:

We take security seriously. If you discover a security vulnerability in zql, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

• Email: security@zql.dev
• Subject: [SECURITY] Vulnerability Report - zql

When reporting a vulnerability, please include:

1. Description: A clear description of the vulnerability
2. Impact: Potential impact and severity
3. Steps to Reproduce: Detailed reproduction steps
4. Proof of Concept: Code demonstrating the vulnerability (if applicable)
5. Environment: Your system details (OS, Zig version, etc.)
6. Contact Information: How we can reach you for follow-up

• Initial Response: Within 24 hours
• Vulnerability Assessment: Within 72 hours
• Fix Development: Within 1-2 weeks for critical issues
• Public Disclosure: Coordinated disclosure after fix is ready

zql performs extensive validation at compile-time:

• SQL Syntax Validation: Invalid SQL is rejected during compilation
• Type Safety: Column access is type-checked at compile-time
• Buffer Bounds: Result buffer sizes are verified at compile-time
• Schema Validation: Table schemas are validated against queries

• Zero Dynamic Allocation: No heap allocations prevent use-after-free vulnerabilities
• Stack-Based Execution: All execution occurs on the stack with fixed bounds
• No External Dependencies: Pure Zig implementation with no external libraries
• Memory Safety: Zig's memory safety guarantees apply to all operations

1. Validate Input: Always validate SQL strings before compilation
2. Buffer Sizing: Provide appropriately sized result buffers
3. Schema Consistency: Ensure schema definitions match data layouts
4. Error Handling: Handle compilation errors gracefully

1. Code Review: Review generated code for security implications
2. Dependency Updates: Keep Zig version current for security patches
3. Access Control: Implement proper access controls at the application level
4. Audit Logging: Log query execution for security monitoring

• Query complexity is limited by Zig's compile-time evaluation limits
• Very large schemas may exceed compilation memory limits
• Complex expressions have maximum nesting depth constraints

• No built-in authentication or authorization
• No encryption of data at rest or in transit
• No access logging or audit trails
• No rate limiting or DoS protection

We recommend the following security testing approaches:

1. Static Analysis: Use Zig's built-in safety checks
2. Fuzz Testing: Fuzz SQL input parsing
3. Memory Testing: Use valgrind/ASAN for memory safety verification
4. Performance Testing: Ensure no performance degradation that could indicate security issues

We follow responsible disclosure practices:

• Vulnerabilities are kept confidential until fixed
• Credit is given to reporters (with permission)
• Fixes are developed and tested before public release
• Security advisories are published for significant issues

For security-related questions or concerns:

• Security Issues: security@zql.dev
• General Security Questions: security@zql.dev
• PGP Key: Available at https://github.com/your-org/zql/security/pgp-key.asc

Thank you for helping keep zql secure!