Please do not open public issues for security vulnerabilities.

Email andreabozzo92@gmail.com with:

• A description of the issue and the impact.
• Steps to reproduce.
• The affected version(s).

You can expect an initial reply within 7 days. Once a fix is available, a coordinated disclosure date will be agreed on with the reporter.

IcebergSharp is a client library. It reads data from object storage based on metadata fetched from a REST catalog. In particular:

• Catalog responses are trusted. A malicious catalog can point the client at arbitrary URLs in its file IO scope. Operate REST catalogs over TLS with proper auth.
• Object storage credentials are the user's responsibility. IcebergSharp does not cache or persist credentials; it consumes them via the standard AWS / Azure SDK credential chains.
• Data files are parsed by Parquet.Net. Vulnerabilities in the Parquet decoder are in scope for an advisory but the fix will typically be a version bump of the upstream dependency.