| Version | Supported |
|---|---|
| latest | Yes |
| older | No |
Only the latest published release receives security updates.
Do not open a public GitHub issue for security vulnerabilities.
Report privately via GitHub Security Advisories.
Include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof of concept.
- The OS, Rust toolchain, and crate version you were running.
Expect an initial acknowledgment within 7 days.
In scope:
- mzML writer correctness on adversarial input.
openmassspec-coreships the canonical mzML 1.1.0 writer that every vendor parser funnels through. Crashes (panics, OOB writes), arbitrary file writes, or XML-injection issues triggered by craftedSpectrumRecorddata are in scope. - Arrow bridge soundness (under the
arrowfeature): unsound memory access, undefined behavior, or buffer-length confusion when buildingRecordBatchvalues from spectra. - Conformance harness correctness: false-positive passes (the harness lets invalid input through). False negatives are bugs but not security issues.
- Supply-chain integrity of published artifacts on crates.io.
Out of scope:
- Vulnerabilities in third-party crates with no demonstrated exploit path through this crate. Forward those upstream.
- Denial of service via legitimately oversized spectrum streams.
- Issues that require write access to the source tree.
We follow coordinated disclosure. Reporters are credited in the release notes unless they prefer to remain anonymous. We aim to ship a fix within 30 days of confirming a high or critical issue.
openmassspec-core is the foundation crate of the
OpenMassSpec stack. Reports
that involve vendor-specific parsing are usually better routed to the
relevant parser repo:
- Thermo
.raw: OpenTFRaw - Bruker
.d/(timsTOF): OpenTimsTDF - Waters MassLynx
.raw/: OpenWRaw