We take the security of RetDec seriously. If you believe you have found a security vulnerability, please report it to us responsibly.
Please use this submission form to report any (potential) security vulnerabilities.
When reporting, please provide as much detail as possible, including:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (if applicable)
- Your contact information for follow-up
- Acknowledgment: We will acknowledge receipt of your report within 7 business days
- Updates: We will keep you informed of our progress
- Credit: We will credit you for the discovery (unless you prefer to remain anonymous)
We provide security updates for the following versions:
| Version | Supported | Status |
|---|---|---|
| 5.0.x | ✅ | Active |
| < 5.0 | ❌ | End of Life |
- Critical Vulnerabilities: Patched within 7 days, emergency release if needed
- High Severity: Patched within 30 days
- Medium Severity: Patched in next scheduled release
- Low Severity: Addressed when convenient
Critical:
- Remote code execution
- Privilege escalation
- Authentication bypass
- Data breach potential
High:
- Denial of service
- Information disclosure
- Security feature bypass
Medium:
- Cross-site scripting (if web interfaces exist)
- Memory leaks
- Improper input validation
Low:
- Minor information disclosure
- Non-security bugs with minor security implications
RetDec processes potentially untrusted binary input (executables, libraries, etc.). When analyzing unknown or untrusted binaries:
-
Always run in a sandboxed environment
- Use containers (Docker) or virtual machines
- Limit file system access
- Restrict network access
-
Resource Limits
- Set memory limits (malicious files can cause excessive memory usage)
- Set CPU time limits
- Monitor disk usage
-
Input Validation
- RetDec includes input validation, but no guarantees for malformed binaries
- Malicious crafted binaries could trigger bugs
RetDec relies on several third-party libraries. We monitor these dependencies for security issues:
- LLVM: Custom fork based on upstream (security patches applied)
- Capstone: Disassembly engine (keep updated)
- YARA: Pattern matching (keep updated)
- OpenSSL: Cryptography library (system version required >= 1.1.1)
Recommendation: Keep your system's OpenSSL and other dependencies updated.
When building RetDec from source:
- Verify checksums: Our build system verifies SHA256 hashes for downloaded dependencies
- Use official sources: Clone from official GitHub repository
- Check signatures: Verify git commit signatures when available
-
Isolate Analysis Environment
# Example: Run in Docker container docker run --rm -v /path/to/binaries:/data retdec retdec-decompiler /data/binary -
Limit Permissions
- Run as non-root user
- Use read-only file systems where possible
- Apply principle of least privilege
-
Monitor Resources
- Watch for excessive memory usage
- Set timeouts for long-running analysis
- Monitor CPU usage
-
Validate Output
- Review decompiled code carefully
- Don't execute decompiled code without review
- Be aware of potential malicious patterns
-
Code Security
- Avoid unsafe C++ constructs (prefer smart pointers)
- Validate all external input
- Use RAII for resource management
- Bounds check all array accesses
-
Testing
- Include security test cases
- Test with malformed inputs
- Fuzz test when possible
-
Static Analysis
- Code is checked with clang-tidy
- CodeQL security scanning enabled
- Address compiler warnings
RetDec employs the following automated security measures:
- CodeQL Analysis: Weekly automated scans for security vulnerabilities
- Dependabot: Monitors GitHub Actions dependencies
- Static Analysis: clang-tidy checks on all pull requests
- Compiler Warnings: Enabled and monitored (except MSVC currently)
We follow coordinated disclosure:
- Vulnerability reported to us
- We investigate and develop fix
- Fix is released
- Public disclosure (typically 90 days after fix, or sooner if already public)
We will credit security researchers unless they prefer anonymity.
- Primary: Use vulnerability submission form
- GitHub: For non-critical security discussions, use GitHub Security Advisories
- Build security: See README.md for verified build process
- Contributing: See CONTRIBUTING.md for code quality guidelines
- Dependencies: See DEPENDENCY_ANALYSIS.md for dependency security info
This security policy may be updated from time to time. Check back regularly for changes.
Last Updated: 2025-11-03
Thank you for helping keep RetDec and its users safe!