diff options
Diffstat (limited to 'SECURITY.md')
-rw-r--r-- | SECURITY.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..af9c916cd --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## What is or is not a vulnerability? + +In general, vulnerabilities are those bugs that can actually be exploited to perform malicious tasks. +Most _crashes_ are not security vulnerabilities. Although important to fix, they don't inherently cause a problem for the +browser's security. + +What should be considered vulnerabilities or security hazards by default: +- Use-after-free crashes, since those can potentially be used for remote code execution; +- Spoofing issues in the UI; +- File security issues, like out-of-bounds access to arbitrary files or locations; +- Type confusion issues; +- Bypass of security measures like CSP or the various mechanisms around HTTPS. + +Generally not security vulnerabilities: +- Null dereferencing crashes; +- Malware extensions (but please do report those on the forum in the extensions board!); +- Denial-of-service (AKA "evil trap sites") +- Browser hangs +- Issues with non-standard manual configuration (either at build time or by manipulating about:config directly) + +## Reporting a Vulnerability + +If you find an issue in UXP or the applications it builds on that could impact the security or safety of users please **do not** +make an issue on GitHub about it. GitHub does not support restricted viewability for security sensitive bugs. + +If you want to report a security-sensitive issue then please go to the [forum](https://forum.palemoon.org) and report the issue +via a **private message** to **Moonchild** (the founder and prime responsible for security issues). +The forum's private message system is fully secure since your visits are encrypted and private messages are not available to anyone +except the recipient (not even moderators!). + +You will be informed via private message if the vulnerability report is accepted or declined, with reasoning. +Security updates occur regularly and are given priority over most other development tasks. In general, they can be solved +relatively quickly and will be included in the next point release (third digit if not rolled into a more major one). + |