summaryrefslogtreecommitdiff
path: root/SECURITY.md
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2020-04-13 10:44:05 +0200
committerGitHub <noreply@github.com>2020-04-13 10:44:05 +0200
commit9f4b2a0e2362124c53f075c25060f9d61dd525dd (patch)
treef42210e8fb05bd62e5f9d4a4ce08089e6c8a2a72 /SECURITY.md
parenta2bc0e0ec6da3a689fa08cb02a9d65889de60f7c (diff)
downloaduxp-9f4b2a0e2362124c53f075c25060f9d61dd525dd.tar.gz
Create SECURITY.md
Provide basic instructions how to report security vulnerabilities.
Diffstat (limited to 'SECURITY.md')
-rw-r--r--SECURITY.md36
1 files changed, 36 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..af9c916cd0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,36 @@
+# Security Policy
+
+## What is or is not a vulnerability?
+
+In general, vulnerabilities are those bugs that can actually be exploited to perform malicious tasks.
+Most _crashes_ are not security vulnerabilities. Although important to fix, they don't inherently cause a problem for the
+browser's security.
+
+What should be considered vulnerabilities or security hazards by default:
+- Use-after-free crashes, since those can potentially be used for remote code execution;
+- Spoofing issues in the UI;
+- File security issues, like out-of-bounds access to arbitrary files or locations;
+- Type confusion issues;
+- Bypass of security measures like CSP or the various mechanisms around HTTPS.
+
+Generally not security vulnerabilities:
+- Null dereferencing crashes;
+- Malware extensions (but please do report those on the forum in the extensions board!);
+- Denial-of-service (AKA "evil trap sites")
+- Browser hangs
+- Issues with non-standard manual configuration (either at build time or by manipulating about:config directly)
+
+## Reporting a Vulnerability
+
+If you find an issue in UXP or the applications it builds on that could impact the security or safety of users please **do not**
+make an issue on GitHub about it. GitHub does not support restricted viewability for security sensitive bugs.
+
+If you want to report a security-sensitive issue then please go to the [forum](https://forum.palemoon.org) and report the issue
+via a **private message** to **Moonchild** (the founder and prime responsible for security issues).
+The forum's private message system is fully secure since your visits are encrypted and private messages are not available to anyone
+except the recipient (not even moderators!).
+
+You will be informed via private message if the vulnerability report is accepted or declined, with reasoning.
+Security updates occur regularly and are given priority over most other development tasks. In general, they can be solved
+relatively quickly and will be included in the next point release (third digit if not rolled into a more major one).
+