Currently supported versions of PySDL:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of PySDL seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Email: shenning_00@yahoo.com
- Subject Line: [SECURITY] PySDL Vulnerability Report
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
- Acknowledgment: You should receive an acknowledgment within 48 hours
- Initial Assessment: We will send an initial assessment within 5 business days
- Updates: We will keep you informed of progress towards a fix
- Public Disclosure: We will coordinate public disclosure with you
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts you own or with explicit permission from the account holder
- Do not exploit a security issue you discover for any reason
PySDL is designed with the following security considerations:
- PySDL has zero external dependencies
- Minimal attack surface from third-party code
- Core library performs no network I/O
- Applications control all external communication
- Comprehensive type hints throughout
- mypy type checking in CI/CD
- Reduces runtime type errors
- ValidationError raised for invalid inputs
- Process and signal type checking
- Timer parameter validation
When using PySDL in your applications:
- Validate External Inputs: Always validate data from external sources before creating signals
- Limit Signal Data: Don't include sensitive data in signal payloads unless encrypted
- Process Isolation: Use separate SdlSystem instances for security boundaries
- Error Handling: Properly handle ValidationError and other exceptions
- Logging: Be cautious about logging sensitive signal data
- PySDL is single-threaded (asyncio event loop)
- No built-in authentication or authorization
- No built-in encryption for signal data
- Applications must implement their own security controls
Security updates will be released as patch versions and announced via:
- GitHub release notes
- CHANGELOG.md updates
- Email notification to reporters
Thank you for helping keep PySDL and its users safe!