Update security reporting and contribution text.

2024-11-08 06:28:27 +01:00 · 2023-10-06 14:40:28 -04:00 · 2023-10-06 14:40:28 -04:00 · 4630060ee7
commit 4630060ee7
parent 74a6fb1860
2 changed files with 25 additions and 12 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -118,7 +118,7 @@ the source file and the copyright and licensing notice:
    //
    // Description of file contents.
    //
-    // Copyright YYYY by AUTHOR.
+    // Copyright © YYYY by AUTHOR.
    //
    // Licensed under Apache License v2.0.  See the file "LICENSE" for more
    // information.
@ -330,7 +330,7 @@ typedef, for example:

 All constant names are uppercase with underscores between words, e.g.,
 `PDFIO_THIS_CONSTANT`, `PDFIO_THAT_CONSTANT`, etc.  Constants begin with the
-"PDFio\_" prefix to avoid conflicts with system constants.  Private constants
+"PDFIO\_" prefix to avoid conflicts with system constants.  Private constants
 start with an underscore, e.g., `_PDFIO_THIS_CONSTANT`,
 `_PDFIO_THAT_CONSTANT`, etc.

@ -369,11 +369,12 @@ extensions MUST NOT be used.
 The following variables are defined in the makefile:

 - `AR`; the static library archiver command,
- `ARFLAGS`; options for the static library archiver command,
+- `ARFLAGS`; options for the static library archiver,
 - `CC`; the C compiler command,
- `CFLAGS`; options for the C compiler command,
+- `CFLAGS`; options for the C compiler,
 - `CODESIGN_IDENTITY`: the code signing identity,
 - `COMMONFLAGS`; common compiler optimization options,
+- `CPPFLAGS`; options for the C preprocessor,
 - `DESTDIR`/`DSTROOT`: the destination root directory when installing.
 - `DSO`; the shared library building command,
 - `DSOFLAGS`; options for the shared library building command,
@ -395,4 +396,5 @@ The following standard targets are defined in the makefile:
  with debug printfs and the clang address sanitizer enabled.
 - `install`; installs all distribution files in their corresponding locations.
 - `install-shared`; same as `install` but also installs the shared library.
+- `macos`; same as `all` but creates a Universal Binary (X64 + ARM64).
 - `test`; runs the unit test program, building it as needed.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -5,6 +5,25 @@ This file describes how security issues are reported and handled, and what the
 expectations are for security issues reported to this project.


+Reporting a Security Bug
+------------------------
+
+For the purposes of this project, a security bug is a software defect that
+allows a *local or remote user* to gain unauthorized access or privileges on the
+host computer or to cause the software to crash.  Such defects should be
+reported to the project security advisory page at
+<https://github.com/michaelrsweet/pdfio/security/advisories>.
+
+Alternately, security bugs can be reported to "security AT msweet.org" using the
+PGP public key below.  Expect a response within 5 business days.  Any proposed
+embargo date should be at least 30 days and no more than 90 days in the future.
+
+> *Note:* If you've found a software defect that allows a *program* to gain
+> unauthorized access or privileges on the host computer or causes the program
+> to crash, that defect should be reported as an ordinary project issue at
+> <https://github.com/michaelrsweet/pdfio/issues>.
+
+
 Responsible Disclosure
 ----------------------

@ -50,14 +69,6 @@ example:
    1.0rc1


-Reporting a Vulnerability
-------------------------
-
-Report all security issues to "security AT msweet.org".  Expect a response
-within 5 business days.  Any proposed embargo date should be at least 30 days
-and no more than 90 days in the future.
-
-
 PGP Public Key
 --------------