From 0bbdd6aa8625995ab487afd8f391e6fd97e5fd52 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Tue, 13 Jan 2026 14:11:44 -0500 Subject: [PATCH] Clarify security policy. --- SECURITY.md | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 79a022f..a908e2b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,12 +5,40 @@ This file describes how security issues are reported and handled, and what the expectations are for security issues reported to this project. +What is a Security Bug? +----------------------- + +Not every bug is a security bug. + +Certain bugs that might be considered security bugs in a program, such as bugs +that lead to a Denial of Service, are *not* considered security bugs simply +because this project *does not provide a service*. Some might argue that, "my +server uses this library and the bug in this library causes a denial of service +for my server", however it is the responsibility of the *server* to protect +against DoS attacks, not a subordinate library, because only the server knows +what is an appropriate use of memory, CPU, time, and other resources. + +Similarly, bugs caused by incorrect API usage such as passing `NULL` pointers +where such pointers are not allowed, passing the wrong kinds of pointers or +objects to an API, or using a private API are not security bugs because they +are not caused by an attacker but by the developer. + +Finally, bugs that only exist in unreleased (non-production) or inactive code +are not security bugs because they do not affect ordinary users. See the +[Supported Versions](#supported-versions) section below for more information +about what versions of the project are covered by this security policy. + +If the bug you've found falls into one of these three categories, please report +the bug as an the ordinary project issue at +. + + Reporting a Security Bug ------------------------ For the purposes of this project, a security bug is a software defect that allows a *local or remote user* to gain unauthorized access or privileges on the -host computer or to cause the software to crash. Such defects should be +host computer or to causes the software to crash. Such defects should be reported to the project security advisory page at . @@ -18,11 +46,6 @@ Alternately, security bugs can be reported to "security AT msweet.org" using the PGP public key below. Expect a response within 5 business days. Any proposed embargo date should be at least 30 days and no more than 90 days in the future. -> *Note:* If you've found a software defect that allows a *program* to gain -> unauthorized access or privileges on the host computer or causes the program -> to crash, that defect should be reported as an ordinary project issue at -> . - Responsible Disclosure ---------------------- @@ -68,6 +91,9 @@ example: 1.0b2 1.0rc1 +Pre-release code in a Git branch ("master", "v1.6.x", etc.) is similarly *not* +production release code. + PGP Public Key --------------