Security is a top priority in the development of Ziggy STARKdust. This document outlines some security best practices that contributors should follow, as well as procedures for reporting security vulnerabilities.
-
Understandable and Simplicity: Keep your code as simple and straightforward as possible.
-
Code Reviews: Every pull request must be reviewed by at least one other developer who is knowledgeable about the code and context.
-
Limited Scope: Minimize the accessibility of functions, classes, and variables by reducing their scope whenever possible.
-
Error Handling: Always check for error returns unless you are absolutely sure that the function cannot return an error.
-
Input Validation: Validate input from all untrusted data sources.
We adhere to the NASA Power of Ten Rules for safer code:
- Avoid complex flow constructs, such as
goto
and recursion. - All loops must have a fixed upper bound and be provably terminable.
- Avoid dynamic memory allocation after initialization.
- No function should be longer than what can be printed on a single sheet of paper.
- Assert liberally to document internal assumptions and invariants.
- Minimize global and shared data.
- Use at least two runtime assertions per function.
- Data objects must be declared at the smallest possible level of scope.
- Check the return value of all non-void functions, or cast to void to indicate the result is useless.
- Limit the scope of data to the smallest possible lexical scope.
For critical vulnerabilities, please do NOT open an issue. Instead, send an email directly to [email protected].
Critical vulnerabilities include but are not limited to:
- Code execution attacks
- Privilege escalation
- Data leaks
For non-critical vulnerabilities, such as issues that are relevant but do not pose an immediate threat to the integrity of the system, you may open a GitHub issue in the ziggy-starkdust repository.
Adhering to these guidelines is essential for ensuring that Ziggy STARKdust remains a secure and reliable codebase. Your cooperation is greatly appreciated.
For any further questions, feel free to contact [email protected].