We release patches for security vulnerabilities. Currently supported versions:

If you discover a security vulnerability within this project, please send an email to the maintainers. All security vulnerabilities will be promptly addressed.

Please do not open public issues for security vulnerabilities.

• Type of vulnerability (e.g., SQL injection, XSS, etc.)
• Full paths of affected source file(s)
• Location of the affected source code (tag/branch/commit)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment of your report within 48 hours
• Regular updates on our progress
• Notification when the vulnerability is fixed
• Public credit for the discovery (if desired)

When using this library:

1. Redis Security: Always secure your Redis instance with:

   • Password authentication (requirepass)
   • Network isolation (bind to localhost or use firewall rules)
   • TLS encryption for production deployments

2. Input Validation: Validate all SKU keys and quantities before passing to Sentinel methods

3. Error Handling: Don't expose internal error details to end users

4. Monitoring: Set up alerting for unusual patterns:

   • Excessive reservation failures
   • Abnormal rollback rates
   • Unexpected stock depletion

5. Rate Limiting: Implement rate limiting at the API layer to prevent abuse

• This library does not implement authentication or authorization. These must be handled at the application layer.
• The library assumes Redis is a trusted backend. Ensure Redis is properly secured.
• Lua scripts execute with full Redis privileges. Never accept untrusted Lua code.