From 4630060ee7f6a48d0a519a8396c8944ff946e2d7 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Fri, 6 Oct 2023 14:40:28 -0400 Subject: [PATCH] Update security reporting and contribution text. --- CONTRIBUTING.md | 10 ++++++---- SECURITY.md | 27 +++++++++++++++++++-------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2079b1b..606497f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -118,7 +118,7 @@ the source file and the copyright and licensing notice: // // Description of file contents. // - // Copyright YYYY by AUTHOR. + // Copyright © YYYY by AUTHOR. // // Licensed under Apache License v2.0. See the file "LICENSE" for more // information. @@ -330,7 +330,7 @@ typedef, for example: All constant names are uppercase with underscores between words, e.g., `PDFIO_THIS_CONSTANT`, `PDFIO_THAT_CONSTANT`, etc. Constants begin with the -"PDFio\_" prefix to avoid conflicts with system constants. Private constants +"PDFIO\_" prefix to avoid conflicts with system constants. Private constants start with an underscore, e.g., `_PDFIO_THIS_CONSTANT`, `_PDFIO_THAT_CONSTANT`, etc. @@ -369,11 +369,12 @@ extensions MUST NOT be used. The following variables are defined in the makefile: - `AR`; the static library archiver command, -- `ARFLAGS`; options for the static library archiver command, +- `ARFLAGS`; options for the static library archiver, - `CC`; the C compiler command, -- `CFLAGS`; options for the C compiler command, +- `CFLAGS`; options for the C compiler, - `CODESIGN_IDENTITY`: the code signing identity, - `COMMONFLAGS`; common compiler optimization options, +- `CPPFLAGS`; options for the C preprocessor, - `DESTDIR`/`DSTROOT`: the destination root directory when installing. - `DSO`; the shared library building command, - `DSOFLAGS`; options for the shared library building command, @@ -395,4 +396,5 @@ The following standard targets are defined in the makefile: with debug printfs and the clang address sanitizer enabled. - `install`; installs all distribution files in their corresponding locations. - `install-shared`; same as `install` but also installs the shared library. +- `macos`; same as `all` but creates a Universal Binary (X64 + ARM64). - `test`; runs the unit test program, building it as needed. diff --git a/SECURITY.md b/SECURITY.md index 3db4e18..9b222df 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,6 +5,25 @@ This file describes how security issues are reported and handled, and what the expectations are for security issues reported to this project. +Reporting a Security Bug +------------------------ + +For the purposes of this project, a security bug is a software defect that +allows a *local or remote user* to gain unauthorized access or privileges on the +host computer or to cause the software to crash. Such defects should be +reported to the project security advisory page at +. + +Alternately, security bugs can be reported to "security AT msweet.org" using the +PGP public key below. Expect a response within 5 business days. Any proposed +embargo date should be at least 30 days and no more than 90 days in the future. + +> *Note:* If you've found a software defect that allows a *program* to gain +> unauthorized access or privileges on the host computer or causes the program +> to crash, that defect should be reported as an ordinary project issue at +> . + + Responsible Disclosure ---------------------- @@ -50,14 +69,6 @@ example: 1.0rc1 -Reporting a Vulnerability -------------------------- - -Report all security issues to "security AT msweet.org". Expect a response -within 5 business days. Any proposed embargo date should be at least 30 days -and no more than 90 days in the future. - - PGP Public Key --------------