We release patches for security vulnerabilities in the following versions:
| Package | Version | Supported |
|---|---|---|
| ison-parser (JS) | 1.x | Yes |
| ison-ts | 1.x | Yes |
| ison-py | 1.x | Yes |
| ison-rs | 1.x | Yes |
| ison-go | 1.x | Yes |
| ison-cpp | 1.x | Yes |
| ison-cli | 1.x | Yes |
If you discover a security vulnerability within ISON, please report it by:
- DO NOT open a public GitHub issue for security vulnerabilities
- Open a private security advisory at: https://github.com/ISON-format/ison/security/advisories/new
- Or email the maintainers directly with details
Please include the following in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Dependent on complexity, typically within 30 days
When using ISON in your applications:
- Validate Input: Always validate ISON data from untrusted sources
- Limit Size: Set reasonable limits on input size to prevent DoS
- Sanitize Output: Sanitize data before rendering in web contexts
- Use Latest Versions: Keep your ISON packages updated
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
Thank you for helping keep ISON and its users safe!