We take security vulnerabilities seriously. The following versions are currently supported with security updates:
| Version | Supported | Status |
|---|---|---|
| 0.1.x | ✅ | Alpha |
Note: As this is an alpha release, security updates will be provided on a best-effort basis.
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in the SQLite Graph Database Extension, please report it to us privately:
Send details to: security@agentflare.ai
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Affected versions (if known)
- Suggested fix (if you have one)
- Your contact information for follow-up
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity within 5 business days
- Updates: We will keep you informed of our progress
- Disclosure: We will coordinate with you on public disclosure timing
- Credit: We will credit you in our security advisories (unless you prefer to remain anonymous)
When using the SQLite Graph Database Extension:
- Always validate and sanitize user input before using it in Cypher queries
- Use parameterized queries when possible
- Avoid constructing queries from untrusted input
- Run SQLite with appropriate file permissions
- Limit who can load extensions in your SQLite instance
- Use SQLite's built-in access control features
- Only load the extension from trusted sources
- Verify checksums of downloaded binaries (see releases page)
- Keep the extension updated to the latest version
- This is a native C extension that runs in the same process as SQLite
- While we use memory-safe practices, vulnerabilities may exist in alpha releases
- Consider running in isolated environments for untrusted workloads
- The extension operates on in-memory data structures
- Sensitive data should be encrypted at rest using SQLite's encryption extensions
- Be aware that graph data may be exposed through error messages or logs
- This is an alpha release and has not undergone extensive security auditing
- The API and internal structures may change, potentially affecting security properties
- Use in production environments is not recommended at this time
- The extension uses SQLite's memory allocation functions
- Memory leaks or use-after-free vulnerabilities may exist in alpha code
- We actively test with AddressSanitizer and Valgrind
- SQLite extensions run with full process privileges
- Malicious queries could potentially exploit bugs to execute arbitrary code
- Only allow trusted users to submit Cypher queries
- Complex graph queries may consume significant CPU and memory
- Consider implementing query timeouts and resource limits
- Monitor for resource exhaustion attacks
- Security fixes will be released as patch versions (e.g., 0.1.1)
- Critical vulnerabilities will be addressed with emergency releases
- Security advisories will be published on GitHub
- CVEs will be requested for significant vulnerabilities
- GitHub Security Advisories
- Release notes and CHANGELOG.md
- Email notifications to security@agentflare.ai subscribers
- Social media announcements for critical issues
- Day 0: Vulnerability reported privately
- Day 1-2: Acknowledgment sent to reporter
- Day 1-7: Vulnerability assessed and triaged
- Day 7-30: Fix developed and tested
- Day 30: Coordinated public disclosure (or earlier if actively exploited)
We follow responsible disclosure practices and appreciate security researchers who do the same.
We will acknowledge security researchers who responsibly disclose vulnerabilities:
- No reports yet - be the first!
For security-related questions that are not vulnerabilities, you can:
- Open a GitHub Discussion
- Email: security@agentflare.ai
- Review our Contributing Guide
Last Updated: 2025-10-24 Version: 0.1.0-alpha.0