ColQL is currently in early development (v0.0.x).

We recommend always using the latest version, as security fixes and improvements will only be applied to the most recent release.

If you discover a security vulnerability in ColQL, please report it responsibly.

• Open a private security advisory on GitHub (preferred), or
• Contact us via email (if available), or
• Open an issue only if the vulnerability is not sensitive

• A clear description of the vulnerability
• Steps to reproduce
• Impact assessment (if known)
• Any potential fixes or suggestions (optional)

We aim to:

• Acknowledge reports within 48 hours
• Provide an initial assessment within 3–5 days
• Release a fix as soon as possible, depending on severity

ColQL is an in-memory query engine. Security considerations mainly include:

• Memory safety and unexpected data exposure
• Input validation and runtime errors
• Denial-of-service scenarios via malformed queries or large inputs
• Serialization/deserialization integrity

The following are generally out of scope unless they lead to a real vulnerability:

• Performance issues (unless exploitable)
• Incorrect usage of the library
• Theoretical or non-reproducible issues

To use ColQL securely:

• Do not treat rowIndex as a stable identifier
• Validate user input before passing it into queries
• Avoid exposing raw query interfaces directly to untrusted users
• Use explicit id fields for identity management

We follow responsible disclosure:

• Vulnerabilities will not be publicly disclosed until a fix is available
• Users will be notified via release notes when fixes are shipped