Currently, OtterLang is in Early Access (v0.1.0). Security updates are provided for the latest version.
| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in OtterLang, please report it responsibly by following the steps below.
- Do NOT open a public GitHub issue
- Message security details to our Discord
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Keep you informed of progress
- Credit you in security advisories (unless you prefer otherwise)
As an experimental language, OtterLang has some security considerations:
- FFI System: FFI bridges load dynamic libraries. Only use trusted Rust crates.
- Memory Safety: OtterLang uses reference counting and garbage collection. Memory safety bugs may exist.
- Runtime: The JIT runtime executes generated code. Untrusted code execution should be avoided.
- No Sandboxing: Currently, OtterLang programs run with full system permissions.
To help maintain security when using OtterLang:
- Validate Input: Always validate user input and external data
- Use Trusted FFI: Only import Rust crates from trusted sources
- Error Handling: Use proper error handling (nil checks, etc.)
- Keep Updated: Use the latest version when available
Security updates will be released as patch versions (0.1.x) and announced in:
- GitHub Releases
- Security Advisories
- CHANGELOG.md
We thank security researchers who responsibly disclose vulnerabilities.