mirror of
https://github.com/michaelrsweet/pdfio.git
synced 2026-01-15 16:30:32 +01:00
Clarify security policy.
This commit is contained in:
Michael R Sweet
38
SECURITY.md
38
SECURITY.md
@@ -5,12 +5,40 @@ This file describes how security issues are reported and handled, and what the
|
||||
expectations are for security issues reported to this project.
|
||||
|
||||
|
||||
What is a Security Bug?
|
||||
-----------------------
|
||||
|
||||
Not every bug is a security bug.
|
||||
|
||||
Certain bugs that might be considered security bugs in a program, such as bugs
|
||||
that lead to a Denial of Service, are *not* considered security bugs simply
|
||||
because this project *does not provide a service*. Some might argue that, "my
|
||||
server uses this library and the bug in this library causes a denial of service
|
||||
for my server", however it is the responsibility of the *server* to protect
|
||||
against DoS attacks, not a subordinate library, because only the server knows
|
||||
what is an appropriate use of memory, CPU, time, and other resources.
|
||||
|
||||
Similarly, bugs caused by incorrect API usage such as passing `NULL` pointers
|
||||
where such pointers are not allowed, passing the wrong kinds of pointers or
|
||||
objects to an API, or using a private API are not security bugs because they
|
||||
are not caused by an attacker but by the developer.
|
||||
|
||||
Finally, bugs that only exist in unreleased (non-production) or inactive code
|
||||
are not security bugs because they do not affect ordinary users. See the
|
||||
[Supported Versions](#supported-versions) section below for more information
|
||||
about what versions of the project are covered by this security policy.
|
||||
|
||||
If the bug you've found falls into one of these three categories, please report
|
||||
the bug as an the ordinary project issue at
|
||||
<https://github.com/michaelrsweet/pdfio/issues>.
|
||||
|
||||
|
||||
Reporting a Security Bug
|
||||
------------------------
|
||||
|
||||
For the purposes of this project, a security bug is a software defect that
|
||||
allows a *local or remote user* to gain unauthorized access or privileges on the
|
||||
host computer or to cause the software to crash. Such defects should be
|
||||
host computer or to causes the software to crash. Such defects should be
|
||||
reported to the project security advisory page at
|
||||
<https://github.com/michaelrsweet/pdfio/security/advisories>.
|
||||
|
||||
@@ -18,11 +46,6 @@ Alternately, security bugs can be reported to "security AT msweet.org" using the
|
||||
PGP public key below. Expect a response within 5 business days. Any proposed
|
||||
embargo date should be at least 30 days and no more than 90 days in the future.
|
||||
|
||||
> *Note:* If you've found a software defect that allows a *program* to gain
|
||||
> unauthorized access or privileges on the host computer or causes the program
|
||||
> to crash, that defect should be reported as an ordinary project issue at
|
||||
> <https://github.com/michaelrsweet/pdfio/issues>.
|
||||
|
||||
|
||||
Responsible Disclosure
|
||||
----------------------
|
||||
@@ -68,6 +91,9 @@ example:
|
||||
1.0b2
|
||||
1.0rc1
|
||||
|
||||
Pre-release code in a Git branch ("master", "v1.6.x", etc.) is similarly *not*
|
||||
production release code.
|
||||
|
||||
|
||||
PGP Public Key
|
||||
--------------
|
||||
|
||||
Reference in New Issue
Block a user