Security fixes for older versions are evaluated on a case-by-case basis depending on the severity of the vulnerability and the effort required to backport the fix.

• Non-sensitive issues: Open a GitHub issue
• Security vulnerabilities: Contact the maintainer directly via GitHub

When reporting a security vulnerability, please include:

1. A description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact assessment
4. Any suggested fixes (if applicable)
5. Your contact information for follow-up questions

• Acknowledgment: Within 48-72 hours
• Initial assessment: Within 1 week
• Resolution timeline: Depends on severity and complexity

1. Report received: You will receive an acknowledgment within 48-72 hours
2. Triage: We assess the severity and validity of the report
3. Investigation: We investigate the issue and develop a fix
4. Disclosure: We coordinate disclosure timing with you
5. Release: Security fix is released with appropriate credit (if desired)

pyFIA executes SQL queries against DuckDB databases containing FIA data. The library implements the following safeguards:

• Input validation: Domain expressions are validated before execution
• SQL injection prevention: Domain filter syntax is parsed and validated to prevent injection attacks
• Identifier sanitization: Table and column names are sanitized

Users should only use FIA database files from trusted sources:

• Official USDA Forest Service FIA DataMart
• pyFIA's built-in downloader (which retrieves from official sources)
• MotherDuck cloud databases with verified data

Do not use database files from untrusted sources, as database files can contain malicious content.

• Keep pyFIA updated to the latest version
• Verify the integrity of downloaded FIA databases
• Run pyFIA in environments with appropriate access controls
• Review domain expressions before execution if they come from untrusted input