Once v1.0.0 is released, the two most recent minor versions will receive security fixes.

Please do not report security vulnerabilities via public GitHub Issues.

Use GitHub's built-in private vulnerability reporting:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill in the details — affected version, description, reproduction steps, and potential impact

We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 14 days for critical issues.

A useful report includes:

• PostgreSQL version and pg_trickle version
• Minimal reproduction SQL or Rust code
• Description of the unintended behaviour and its security impact
• Whether the vulnerability requires a trusted (superuser) or untrusted role to trigger

In-scope:

• SQL injection or privilege escalation via pgtrickle.* functions
• Memory safety issues in the Rust extension code (buffer overflows, use-after-free, etc.)
• Denial-of-service caused by a low-privilege user triggering runaway resource usage
• Information disclosure through change buffers (pgtrickle_changes.*) or monitoring views

Out-of-scope:

• Vulnerabilities in PostgreSQL itself (report to the PostgreSQL security team)
• Vulnerabilities in pgrx (report to pgcentralfoundation/pgrx)
• Issues requiring physical access to the database host

We follow coordinated disclosure. Once a fix is released we will publish a security advisory on GitHub with a CVE if applicable.