tidelog is a serialization format and a crash-recoverable store written
entirely in pure EigenScript. It opens no network sockets. It does, however,
deserialize and load store files — the CBOR decoder and the store's log reader
consume byte streams — so how the codec and the store reader handle malformed or
adversarial input is the one thing worth a report.
Please report security issues privately rather than in a public issue — via
GitHub private vulnerability reporting
or by contacting the maintainer at the address on the
InauguralSystems profile
(contact@inauguralsystems.com, subject prefix [SECURITY]). Include steps to
reproduce, a minimal malformed input if applicable, and the affected EigenScript
version.
- Malformed-input handling of the CBOR decoder (
src/cbor.eigs) and the store's log reader / recovery path (src/store.eigs) — the code that consumes untrusted bytes. - Issues in the EigenScript interpreter or runtime itself (a crash on malformed input, a bitwise/float edge, a nondeterminism leak) belong in the EigenScript repository, which has its own security process.
The latest tag on main is supported. tidelog tracks a pinned EigenScript
version (see .devcontainer/Dockerfile's EIGS_REF for the current pin); run
against that or newer.