QuantoScript is pre-1.0 software. Security fixes are applied to the latest
release and the main branch only.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, use GitHub's private reporting:
- Go to the Security tab of the repository.
- Click Report a vulnerability to open a private advisory.
Alternatively, open a minimal private channel with the maintainers via the repository's contact options.
When reporting, please include:
- A description of the vulnerability and its impact.
- A minimal QuantoScript program or input that reproduces it.
- The
qs versionoutput and your operating system. - Any suggested remediation, if you have one.
QuantoScript executes untrusted-looking scripts by design, but it is not a security sandbox by default. Areas where reports are especially valuable:
- Memory-safety issues in the C runtime (buffer overflows, use-after-free, etc.),
including malformed
.qvmbytecode files. - Bypasses of the
--sandboxfile-access restriction. - Vulnerabilities in the HTTP / WebSocket / TLS handling.
We aim to acknowledge a report within a few days, agree on a disclosure timeline, and credit reporters who wish to be named once a fix is released.