Skip to content

Security: marsmodule/MarsmoduleDB

Security

SECURITY.md

Security Policy

MarsmoduleDB is experimental software. Do not assume it is ready for production systems without your own review of compatibility, durability, concurrency, and security requirements.

Supported versions

Security reports are considered for the current main branch and the latest published sqlite-rust crate version. Older versions may be investigated when a report includes a clear reproduction, but backports are not guaranteed.

Reporting a vulnerability

Please do not open a public issue for a suspected vulnerability.

Use GitHub's private vulnerability reporting flow for this repository:

https://github.com/marsmodule/MarsmoduleDB/security/advisories/new

If that form is unavailable, open a minimal public issue asking for a security contact and do not include exploit details, crash inputs, private database files, credentials, or sensitive traces.

Useful reports include:

  • the affected version or commit
  • platform and Rust version
  • whether the issue affects parsing, database file decoding, SQL execution, journaling, or the embedding API
  • a minimized reproducer when it can be shared safely
  • expected behavior and observed behavior
  • whether the issue causes panic, denial of service, data corruption, incorrect query results, or unsafe file access

Scope

In scope:

  • panics, hangs, or excessive resource use from untrusted SQL or database files
  • malformed SQLite-compatible database files that trigger incorrect behavior
  • data corruption or rollback journal recovery failures
  • injection or API behavior that violates documented parameter binding guarantees

Out of scope:

  • unsupported SQLite features already documented as missing
  • behavior that requires modifying the library source code
  • vulnerabilities in downstream applications that embed this crate incorrectly
  • reports without enough detail to reproduce or reason about the issue

Disclosure

The maintainer will review reports as time permits. Public disclosure should wait until the issue has been assessed and, when appropriate, a fix or mitigation has been published.

There aren't any published security advisories