| Version | Supported |
|---|---|
| 0.1.x | ✅ |
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues via:
-
Private Security Advisory (preferred): https://github.com/gogpu/compose/security/advisories/new
-
GitHub Discussions (for less critical issues): https://github.com/gogpu/gogpu/discussions
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Initial Response: Within 72 hours
- Fix & Disclosure: Coordinated with reporter
compose uses IPC mechanisms for inter-process communication. Users should be aware of:
- Unix Domain Sockets — socket files are created with default permissions. Use appropriate file permissions in production.
- Shared Memory (Phase 2) — memory-mapped regions are shared between processes. Ensure only trusted modules connect.
- Wire Protocol — frame data is not encrypted. For untrusted networks, use TLS or a secure transport.
- Module Identity — module names are self-declared. The compositor should validate module identity for security-critical deployments.
- GitHub Security Advisory: https://github.com/gogpu/compose/security/advisories/new
- Public Issues: https://github.com/gogpu/compose/issues
Thank you for helping keep gogpu/compose secure!