We release patches for security vulnerabilities in the following versions:
We take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: security@yourdomain.com
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
After you submit a report, we will:
- Confirm receipt of your vulnerability report within 48 hours
- Provide regular updates on our progress
- Credit you in our security advisories (unless you prefer to remain anonymous)
When using RuleEngine, please follow these security best practices:
- Validate Input: Always validate and sanitize rule input data
- Sandboxing: Consider running rule compilation in a sandboxed environment for untrusted rules
- Resource Limits: Set appropriate timeouts and memory limits for rule execution
// Example: Safe rule compilation with timeout
var compiler = new RuleCompiler<MyInput, bool>();
var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
var rule = await compiler.CompileAsync("safe-rule", ruleString, cts.Token);- Connection Strings: Never hardcode database connection strings
- SQL Injection: Use parameterized queries (EF Core handles this automatically)
- Access Control: Implement proper authentication and authorization
// Example: Secure connection string configuration
builder.Services.AddRuleEngine()
.AddSqlite(builder.Configuration.GetConnectionString("DefaultConnection"));- Authentication: Implement proper authentication for rule management APIs
- Authorization: Use role-based access control for rule operations
- Rate Limiting: Implement rate limiting to prevent abuse
// Example: Secure API endpoint
[Authorize(Roles = "RuleManager")]
[HttpPost]
public async Task<IActionResult> CreateRule([FromBody] CreateRuleRequest request)
{
// Implementation
}- Code Injection: Rule strings are compiled as C# code. Only allow trusted users to create rules
- Resource Exhaustion: Malicious rules could consume excessive CPU or memory
- Assembly Loading: Compiled rules are loaded into the application domain
- Input Validation: Always validate rule input data
- User Permissions: Restrict rule creation to authorized users only
- Monitoring: Monitor rule execution for unusual patterns
- Regular Updates: Keep dependencies updated for security patches
We will release security updates as needed. When a security vulnerability is discovered:
- We will create a security advisory
- We will release a patched version as soon as possible
- We will notify users through GitHub releases and security advisories
For security-related questions or concerns, please contact us at:
- Email: security@yourdomain.com
- GitHub Security Advisories: View advisories
We would like to thank the following security researchers who have responsibly disclosed vulnerabilities:
- [List security researchers here]
Last updated: September 2025
