Github
/
prism
mirror of
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added security policy (#3070)

This commit is contained in:
Michael Schmidt 2022-07-27 10:36:55 +02:00 committed by GitHub
parent 866b302e11
commit 05ee042a81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
SECURITY.md Normal file
View File

@ -0,0 +1,51 @@
# Security Policy
## What is considered a vulnerability?
There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead.
All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed.
Please see the below section on how we treat [ReDoS] vulnerabilities.
If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below).
### ReDoS
Prism is a regex-based syntax highlighter.
As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes.
However, not all ReDoS is created equal.
A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n<sup>2</sup>)_ to _2<sup>O(n)</sup>_.
This matters because a worst-case time complexity _≥ O(n<sup>3</sup>)_ is a [high severity][severity] vulnerability while _O(n<sup>2</sup>)_ is low or medium severity in the context of Prism.
Furthermore, worst-case time complexities of _O(n<sup>2</sup>)_ can have 2 different causes: backtracking or moving.
Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases).
Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n<sup>2</sup>)_ caused by moving as regular bugs and not as vulnerabilities.
Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities.
If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below).
## Reporting a Vulnerability
***DO NOT CREATE AN ISSUE*** to report a vulnerability.
Instead, please send an email to at least one of [Prism's maintainers](MAINTAINERS.md).
See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details.
### Procedure
1. After you send an email [a maintainer](MAINTAINERS.md), you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days.
We may require further information, so please keep in touch with us until the vulnerability has been fixed.
2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix.
You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account).
At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability).
3. After the fix has been merged, we will make a new release and publish the security advisory within one week.
[ReDoS]: https://en.wikipedia.org/wiki/ReDoS
[severity]: https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/