Skip to content

Security: Yannosay/sinth

SECURITY.md

Security Policy

Reporting a Vulnerability

Do not open a public issue.

Sinth follows a coordinated vulnerability disclosure process.

Submit reports via the GitHub Security Advisory system (Security tab).

A PGP key for sensitive communications is available here. (Fingerprint: 710E FF4E 0851 C6FC A65E BCD3 9043 F9F9 09C7 5C31)

Timeline:

  • Acknowledgment within 48 hours
  • Initial assessment within 5 business days
  • Coordinated disclosure embargo: up to 90 days (extensions negotiated case-by-case)

You will receive status updates throughout the process. Vulnerability details must remain confidential until a public advisory is released.

Credit is given in the published advisory unless you request anonymity.

Supported Versions

Security patches are provided only for the following versions:

Version Supported Status
3.0.0 and later supported Active support
1.9.0 through 1.11.x security Security support
earlier than 1.9.0 eol End of life

Users must upgrade to a supported version before a report can be triaged.

Scope

Sinth is a compiler that actively transforms source code. The following are in scope:

  • Silent miscompilation – Incorrect output without error or warning, especially when that output could result in exploitable or unsafe behaviour.
  • Code generation vulnerabilities – Compiler-emitted code that introduces injection vectors, memory-safety violations, or privilege-escalation paths.
  • Input exploitation – Crafted source files that cause the compiler to leak information, gain unauthorised access, or exhibit undefined behaviour during compilation.

Out of Scope

  • Denial-of-service through resource exhaustion, unless it leads to exploitable undefined behaviour.
  • Crashes, hangs, or incorrect error messages that do not produce incorrect output (file these as standard Issues).
  • Vulnerabilities in user code produced by Sinth where the root cause is the user's own logic, not a compiler defect.
  • Vulnerabilities in third-party dependencies, unless Sinth's specific usage or configuration enables the issue.

Disclosure and Remediation Process

  1. Triage – Severity and impact are assessed against the latest stable release.
  2. Fix development – A patch is created and tested across all supported version lines.
  3. Backport – The fix is applied to every actively supported release.
  4. Advisory publication – A GitHub Security Advisory is released with a clear impact assessment, CVSS score, and upgrade instructions.
  5. Recognition – Reporters are credited in the advisory (unless anonymity has been requested).

Critical vulnerabilities are typically addressed within 7 days. Lower-severity issues follow the standard release cadence.

Recognition

We gratefully acknowledge the security researchers who have responsibly disclosed vulnerabilities to Sinth. Their contributions are recorded in our published Security Advisories and, with consent, in release notes.


This policy is effective as of 2026-06-09 and applies to all versions of Sinth.

There aren't any published security advisories