We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | β Active support |
| 0.x.x | β End of life |
Please do not report security vulnerabilities through public GitHub issues.
- Email: Send details to [savas@parastatidis.name]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
This is not a supported product but we will do our best to provide:
- Acknowledgment: Within a week
- Initial Assessment: Within 2 weeks
- Regular Updates: Every 1-2 weeks until resolved
- Resolution Timeline: Varies by severity (see below)
- Always use encrypted connections to Neo4j
- Implement proper authentication and authorization
- Use connection pooling securely
- Validate connection strings
- GraphModel automatically parameterizes queries to prevent injection
- Be cautious with dynamic query building
- Validate user inputs before querying
- Use strongly-typed queries when possible
- Complex properties are serialized securely
- Be aware of deserialization vulnerabilities
- Validate serialized data sources
- Consider encryption for sensitive data
- Store connection strings securely (Azure Key Vault, etc.)
- Use environment variables for sensitive configuration
- Follow least-privilege principles
- Regularly rotate credentials
// β
Good - encrypted connection
var graph = new Neo4jGraph("neo4j+s://your-server:7687",
"username", "password");
// β Avoid - unencrypted connection
var graph = new Neo4jGraph("neo4j://your-server:7687",
"username", "password");// β
Good - parameterized queries
var users = await graph.Nodes<User>()
.Where(u => u.Email == email) // Automatically parameterized
.ToListAsync();
// β
Good - validate inputs
if (string.IsNullOrWhiteSpace(email) || !IsValidEmail(email))
throw new ArgumentException("Invalid email");// β
Good - environment variables
var connectionString = Environment.GetEnvironmentVariable("NEO4J_CONNECTION");
var username = Environment.GetEnvironmentVariable("NEO4J_USERNAME");
var password = Environment.GetEnvironmentVariable("NEO4J_PASSWORD");
// β Avoid - hardcoded credentials
var graph = new Neo4jGraph("neo4j://localhost:7687", "neo4j", "password123");Security updates are released as:
- Patch releases for supported versions
- Out-of-band releases for critical vulnerabilities
- Security advisories on GitHub
Before deploying to production:
- Use encrypted database connections
- Implement proper authentication
- Validate all user inputs
- Store credentials securely
- Enable logging and monitoring
- Keep dependencies updated
- Review custom serializers
- Test with security scanning tools
- Follow principle of least privilege
- Implement rate limiting if applicable
For security-related questions or concerns:
- Security Email: [savas@parastatidis.name]
- General Issues: GitHub Issues
- Documentation: GitHub Discussions
Thank you for helping keep GraphModel secure! π