If you discover a security vulnerability in EigenScript, please report it responsibly.
Email: contact@inauguralsystems.com
Subject prefix: [SECURITY]
Please do not file public GitHub issues for suspected vulnerabilities. Security reports are triaged before general support mail.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
EigenScript treats the script author as trusted. A .eigs file is
equivalent to running a shell script or a Python program: it can read and
write files, spawn subprocesses via exec_capture, open network sockets, and
access any data the host user can access. Running an untrusted .eigs file is
not a supported use case, and file-system or process access from a script is
not, on its own, a vulnerability.
The runtime is responsible for protecting the host and remote callers from bugs in the interpreter itself and from malicious external input.
In-scope security issues:
- Buffer overflows or memory corruption in the C runtime, triggerable by attacker-controlled input (malformed source, crafted HTTP requests, malicious model files, etc.).
- Command injection where untrusted data reaches a shell via a runtime
builtin. (
exec_captureusesexecvpwith an argv list and does not invoke a shell; injection there would be a bug.) - HTTP server vulnerabilities in the extension build: request-parsing bugs,
path traversal out of the configured
static_dir, response splitting, unbounded resource consumption. - Deserialization flaws in
model_iowhen loading untrusted weight files. - SQL injection in the DB extension's own code paths. (Callers that
concatenate untrusted data into SQL via the
db_query*string argument are responsible for parameterising their own queries.)
Out of scope:
- Anything an EigenScript program can already do by virtue of running on the
host (reading
~/.ssh/id_rsa, deleting files, etc.). If the threat is "malicious script", the fix is "do not run malicious scripts".
| Version | Supported |
|---|---|
| 0.26.x | Yes |
| < 0.26 | No |
All project contact uses contact@inauguralsystems.com. Use one of these
subject prefixes so reports can be triaged quickly:
[SECURITY]Vulnerabilities or suspected security issues[BUG]Reproducible EigenScript bugs[SUPPORT]Installation, usage, or release questions[PRESS]Media, interviews, or public inquiries[LEGAL]Licensing or trademark questions