Do not open a public issue.
Sinth follows a coordinated vulnerability disclosure process.
Submit reports via the GitHub Security Advisory system (Security tab).
A PGP key for sensitive communications is available here. (Fingerprint: 710E FF4E 0851 C6FC A65E BCD3 9043 F9F9 09C7 5C31)
Timeline:
- Acknowledgment within 48 hours
- Initial assessment within 5 business days
- Coordinated disclosure embargo: up to 90 days (extensions negotiated case-by-case)
You will receive status updates throughout the process. Vulnerability details must remain confidential until a public advisory is released.
Credit is given in the published advisory unless you request anonymity.
Security patches are provided only for the following versions:
| Version | Supported | Status |
|---|---|---|
| 3.0.0 and later | Active support | |
| 1.9.0 through 1.11.x | Security support | |
| earlier than 1.9.0 | End of life |
Users must upgrade to a supported version before a report can be triaged.
Sinth is a compiler that actively transforms source code. The following are in scope:
- Silent miscompilation – Incorrect output without error or warning, especially when that output could result in exploitable or unsafe behaviour.
- Code generation vulnerabilities – Compiler-emitted code that introduces injection vectors, memory-safety violations, or privilege-escalation paths.
- Input exploitation – Crafted source files that cause the compiler to leak information, gain unauthorised access, or exhibit undefined behaviour during compilation.
- Denial-of-service through resource exhaustion, unless it leads to exploitable undefined behaviour.
- Crashes, hangs, or incorrect error messages that do not produce incorrect output (file these as standard Issues).
- Vulnerabilities in user code produced by Sinth where the root cause is the user's own logic, not a compiler defect.
- Vulnerabilities in third-party dependencies, unless Sinth's specific usage or configuration enables the issue.
- Triage – Severity and impact are assessed against the latest stable release.
- Fix development – A patch is created and tested across all supported version lines.
- Backport – The fix is applied to every actively supported release.
- Advisory publication – A GitHub Security Advisory is released with a clear impact assessment, CVSS score, and upgrade instructions.
- Recognition – Reporters are credited in the advisory (unless anonymity has been requested).
Critical vulnerabilities are typically addressed within 7 days. Lower-severity issues follow the standard release cadence.
We gratefully acknowledge the security researchers who have responsibly disclosed vulnerabilities to Sinth. Their contributions are recorded in our published Security Advisories and, with consent, in release notes.
This policy is effective as of 2026-06-09 and applies to all versions of Sinth.