Report potential security vulnerabilities through GitHub's Private Vulnerability Reporting at github.com/ulcspec/ULC/security/advisories/new.
Acknowledgement target: 5 business days. Patch target depends on severity and scope, communicated in the advisory thread.
ULC is a specification project. Security considerations differ across the artifacts in this repository.
- The reference validator (
tools/validator/, distributed as theulcGo binary): parse safety, error handling, supply-chain integrity of Go module dependencies, archive integrity of release binaries. - Schema files (
schema/) where a malformed schema could cause downstream validators to misbehave (regex denial-of-service patterns, infinite$refloops, oversized expansions). - Build and release workflows (
.github/workflows/) where compromise could affect the integrity of distributed binaries.
- Disagreements with normative content of the specification. Open an issue using the "Spec clarification" or "Schema change proposal" template.
- Missing IES, LDT, GLDF, ETIM, or LM-79/LM-80/LM-84 features. Open a feature request.
- Taxonomy debates. Open a Discussion.
- Suggestions to expand or restrict ULC's scope. Open a Discussion or Issue.
Security fixes land on the latest tagged release, and on the newest patch of the previous minor line once a newer minor ships (an upgrade window). Pin to a specific tag and upgrade promptly when a patch ships.
| Version | Security fixes |
|---|---|
| Latest tagged release | Yes |
Newest patch of the previous minor line (for example the latest 1.0.x once 1.1.0 ships) |
Yes |
| All other releases | No |
Untagged commits on main |
Best-effort, not guaranteed |