Strengthening the HDF5 Ecosystem: Updates from the NSF SHINES Initiative (Newsletter #1) - The HDF Group - ensuring long-term access and usability of HDF data and supporting users of HDF technologies

Strengthening the HDF5 Ecosystem: Updates from the NSF SHINES Initiative

US NSF official logo February 16, 2026

HDF5 serves as the foundational infrastructure for data-intensive research worldwide. As part of our NSF HDF5 SHINES (Securing HDF5 for Industry, National Security, Engineering, and Science) project, we are working to transform HDF5 from a robust library and file format into a hardened, proactive ecosystem. This work is not just about patching code; it is about establishing a community standard for safety, security, and privacy, following best practices in industry and open-source scientific software.

Want to stay in touch with HDF5 SHINES?

Talk to us in the forum
Join the HDF5 SHINES Mailing lists
- Open, low-traffic announcements from the HDF5 SSP SIG: On the web or email hdf5-ssp-announce+subscribe@groups.io to join
- Open list for general discussion of HDF5 SSP topics: On the web or email hdf5-ssp-discuss+subscribe@groups.io to join
Keep an eye on the project page at https://www.hdfgroup.org/projects/hdf5-shines/
Participate in the security survey

Establishing a Foundation: The Need for a Shared Security Vocabulary
Technical Deep Dives: CVE Remediation and the Rise of SBOMs
Enhancing Security Governance: Introducing the PSIRT
Critical Resources: HDF5 2.0.0 Migration and CVE Mapping
Your Perspective: The 2026 HDF5 Security Survey

Establishing a Foundation: The Need for a Shared Security Vocabulary

Effective security begins with a common understanding. However, in many contexts, “security” becomes shorthand for everything that can go wrong. For HDF5, that shortcut impedes effective mitigation because it blurs three distinct kinds of harm: accidents, attacks, and exposures.

A recent technical blog post delves into these distinctions, providing a shared vocabulary that will guide our development roadmap toward a stronger HDF5 safety, security, and privacy posture. Understanding these pillars is the first step toward building a more resilient software and data supply chain.

Read the Blog: A Shared Vocabulary for HDF5

Technical Deep Dives: CVE Remediation and the Rise of SBOMs

In a recent “HDF clinic” session, we offered a first glimpse at our ongoing hardening efforts. We encourage all developers and system administrators to review these recorded deep dives:

A Comprehensive CVE Review: We recently completed a rigorous audit of all CVEs reported against the HDF5 library. Of the 127 vulnerabilities identified since 2016, 126 have been resolved, with the final fix slated for the upcoming 2.1.0 release. This session explores our remediation process and the critical importance of maintaining an up-to-date library to mitigate legacy risks. https://www.youtube.com/watch?v=ScGBhgnVz6M Watch the CVE Review
The Future of Transparency: SBOMs and Audits: Modern software supply chain security requires knowing exactly what is in your software. We are currently implementing Software Bills of Materials (SBOMs) using the CycloneDX standard. This session details how these “nutrition labels” for software help integrators manage dependencies and highlights findings from our first security audit regarding artifact integrity. Watch the SHINES Check-In

Enhancing Security Governance: Introducing the PSIRT

To better serve our community, The HDF Group is evolving its security response infrastructure. We will soon officially launch a dedicated Product Security Incident Response Team (PSIRT). This team is tasked with rapid triage of vulnerabilities and proactive management of security advisories.

To support this, we have opened security@hdfgroup.org as a new channel for reporting security vulnerabilities in confidence. You can also use our GitHub Security page to report and privately discuss HDF5 library security vulnerabilities. Stay tuned for more on our PSIRT Team, coming soon.

Critical Resources: HDF5 2.0.0 Migration and CVE Mapping

The most basic protection against vulnerabilities is to use the latest version of the HDF5 library, and upgrading is a lot easier than you might think. To learn how to upgrade and how vulnerable your current version is, we have released two essential guides to assist our users:

The 2.0.0 Migration Path: HDF5 2.0.0 represents a significant milestone, moving exclusively to the CMake build system to improve maintainability and security, along with many other updates. This guide provides decision support and simple checklists to help everyone navigate this transition. View the Migration Guide
A Centralized CVE Mapping Guide: For security researchers and compliance officers, we have established a dedicated repository containing bit-for-bit reproduction scripts and test files for historical HDF5 library vulnerabilities. This resource ensures our community has the tools to verify fixes in their specific environments. Explore the CVE Repository

Your Perspective: The 2026 HDF5 Security Survey

The success of the NSF SHINES project depends on real-world use cases, requirements, and user data. We need to understand the unique safety, security, and privacy challenges you face—whether you are working in high-performance computing, healthcare, or aerospace. If you have not yet participated, please take a few moments to provide your input. Your feedback will directly influence the work of this project and how we prioritize features in future HDF5 releases. Participate in the HDF5 Safety, Security, and Privacy Survey

This material is based upon work supported by the U.S. National Science Foundation under Federal Award No. 2534078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.