We actively support and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
The Purl team takes security seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Send a detailed report to [email protected] with:
- Subject:
[SECURITY] Purl Ruby - [Brief Description] - Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information for follow-up
Please provide as much information as possible:
- Affected versions
- Attack vectors
- Proof of concept (if safe to share)
- Environmental details (Ruby version, OS, etc.)
- Any relevant configuration details
- 24-48 hours: We will acknowledge receipt of your report
- Initial assessment: Within 1 week of acknowledgment
- Status updates: Weekly until resolution
We will:
- Confirm the vulnerability exists
- Assess the severity and impact
- Develop a fix and mitigation strategy
- Test the fix thoroughly
- Coordinate disclosure timeline
- High/Critical: Immediate fix and release
- Medium: Fix within 30 days
- Low: Fix in next regular release cycle
The Purl library processes Package URL strings and performs:
- Scheme validation: Ensures proper
pkg:prefix - Component parsing: Validates type, namespace, name, version
- URI encoding: Handles percent-encoded characters
- Qualifier parsing: Processes key-value parameters
Areas that warrant security attention:
- URL Parsing: Malformed URLs could cause parsing errors
- Regular Expressions: Complex patterns may be vulnerable to ReDoS
- JSON Processing: Configuration files require safe parsing
- Network Requests: Registry URL generation involves external URLs
When using Purl in applications:
- Validate input: Don't trust user-provided PURL strings
- Handle errors: Properly catch and handle parsing exceptions
- Sanitize output: Be careful when displaying parsed components
- Rate limiting: If parsing many PURLs, implement appropriate limits
We follow coordinated disclosure principles:
- Private reporting allows us to fix issues before public disclosure
- Reasonable timeline for fixes (typically 90 days maximum)
- Credit and recognition for responsible reporters
- Public disclosure after fixes are available
After a fix is released:
- Security advisory published on GitHub
- CVE requested if applicable
- Release notes include security information
- Community notification through appropriate channels
Security updates are announced through:
- GitHub Security Advisories
- RubyGems security alerts
- Release notes and CHANGELOG
- Project README updates
To stay secure:
- Monitor our security advisories
- Update regularly to the latest version
- Review release notes for security fixes
- Subscribe to GitHub notifications for this repository
Currently, we do not offer a formal bug bounty program. However, we deeply appreciate security researchers who help improve the project's security posture.
Contributors who responsibly disclose security issues will be:
- Credited in security advisories (with permission)
- Mentioned in release notes
- Recognized in project documentation
- Thanked publicly (unless anonymity is requested)
Security Contact: [email protected]
PGP Key: Available upon request for encrypted communications
Response Time: We aim to acknowledge security reports within 24-48 hours
- PURL Specification Security Considerations
- Ruby Security Best Practices
- OWASP Secure Coding Practices
Thank you for helping keep Purl and its users safe!