We provide security updates for the following versions of pmcgrab:
| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in pmcgrab, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
- Email: rajdeep@rajdeepmondal.com
- Subject: [SECURITY] pmcgrab vulnerability report
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes or mitigations
- Your contact information (optional)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.
- Initial Assessment: We will provide an initial assessment within 7 days.
- Resolution: We aim to resolve critical vulnerabilities within 30 days.
- We will work with you to understand and resolve the issue quickly.
- We will keep you informed of our progress throughout the process.
- We will publicly disclose the vulnerability after a fix is available.
- We will credit you for the discovery (if desired) in our security advisory.
When using pmcgrab:
- Keep Updated: Always use the latest version of pmcgrab.
- Validate Input: Validate PMC IDs and email addresses before processing.
- Network Security: Be aware that pmcgrab makes network requests to NCBI servers.
- Rate Limiting: Respect NCBI's rate limits and terms of service.
- Data Handling: Be mindful of how you store and process downloaded scientific content.
pmcgrab includes several security features:
- Input validation for PMC IDs and email addresses
- Timeout protection for network requests
- Optional XML DTD validation
- Safe HTML parsing and cleaning
We regularly monitor our dependencies for security vulnerabilities using:
- Automated dependency scanning
- Regular dependency updates
- Security advisories monitoring
For general security questions or concerns, please contact:
- Email: rajdeep@rajdeepmondal.com
- GitHub: @rajdeepmondaldotcom
Thank you for helping to keep pmcgrab secure!