From 05ee042a81bebd4ed47ce986f93644a37b4e7ca1 Mon Sep 17 00:00:00 2001 From: Michael Schmidt Date: Wed, 27 Jul 2022 10:36:55 +0200 Subject: [PATCH] Added security policy (#3070) --- SECURITY.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..c796689dff --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,51 @@ +# Security Policy + +## What is considered a vulnerability? + +There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. +All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. + +Please see the below section on how we treat [ReDoS] vulnerabilities. + +If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below). + +### ReDoS + +Prism is a regex-based syntax highlighter. +As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes. + +However, not all ReDoS is created equal. +A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n2)_ to _2O(n)_. +This matters because a worst-case time complexity _≥ O(n3)_ is a [high severity][severity] vulnerability while _O(n2)_ is low or medium severity in the context of Prism. +Furthermore, worst-case time complexities of _O(n2)_ can have 2 different causes: backtracking or moving. +Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases). + +Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n2)_ caused by moving as regular bugs and not as vulnerabilities. +Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities. + +If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below). + + +## Reporting a Vulnerability + +***DO NOT CREATE AN ISSUE*** to report a vulnerability. + +Instead, please send an email to at least one of [Prism's maintainers](MAINTAINERS.md). +See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details. + +### Procedure + +1. After you send an email [a maintainer](MAINTAINERS.md), you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. + + We may require further information, so please keep in touch with us until the vulnerability has been fixed. + +2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix. + + You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account). + At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability). + +3. After the fix has been merged, we will make a new release and publish the security advisory within one week. + + +[ReDoS]: https://en.wikipedia.org/wiki/ReDoS +[severity]: https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/