Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify policy on when a bug is considered a security issue #2038

Merged
merged 2 commits into from
Dec 21, 2021
Merged

Clarify policy on when a bug is considered a security issue #2038

merged 2 commits into from
Dec 21, 2021

Conversation

kevinbackhouse
Copy link
Collaborator

I received a couple of bug reports recently that can only be triggered via our fuzzing target or via one of the "samples" applications. So I think that we should clarify the security policy to say that only bugs that can be triggered from the exiv2 command line are potential security vulnerabilities.

@codecov
Copy link

codecov bot commented Dec 20, 2021
edited
Loading

Codecov Report

Merging #2038 (5290479) into main (d508e09) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #2038   +/-   ##
=======================================
  Coverage   61.38%   61.38%           
=======================================
  Files          96       96           
  Lines       19214    19214           
  Branches     9852     9852           
=======================================
  Hits        11794    11794           
  Misses       5096     5096           
  Partials     2324     2324

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d508e09...5290479. Read the comment docs.

@clanmills
Copy link
Collaborator

Can we refine this a little @kevinbackhouse.

Two scenarios in which we should treat an issue with a sample as a security vulnerablibilty:

  1. If the sample application reveals a solid issue in the library, we should accept that as equivalent to an issue revealed by the exiv2 command-line program.

  2. If the sample application has a security issue with a genuine user file, that should also be treated as a high priority.

A scenario in which we should NOT treat a sample issue as a security risk:

  1. If there's a bug in a sample application that requires special input files and/or special build settings, that should be treated as a regular issues. Sample applications are provided to demonstrate the use of the API and should never be deployed for production use.

@kevinbackhouse
Copy link
Collaborator Author

@clanmills: Thanks for the suggestions. I have updated the text.

clanmills
clanmills approved these changes Dec 21, 2021
View reviewed changes
Copy link
Collaborator

@clanmills clanmills left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very well written.

@kevinbackhouse kevinbackhouse merged commit bea66d6 into Exiv2:main Dec 21, 2021
@kevinbackhouse kevinbackhouse deleted the SecurityPolicy branch December 21, 2021 13:47
@kevinbackhouse kevinbackhouse added this to the v1.00 milestone Dec 21, 2021
@nehaljwani nehaljwani mentioned this pull request May 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clanmills clanmills clanmills approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.28.0
Development

Successfully merging this pull request may close these issues.
2 participants
@kevinbackhouse @clanmills