UNPKG

harp/SECURITY.md

Version:

1.95 kBMarkdownView Raw

1## Vulnerabilities in `harp`
2
3It is possible that `harp` or its dependent libraries contain vulnerabilities
4that would allow triggering unexpected or dangerous behavior with specially
5crafted inputs.
6
7### What is a vulnerability?
8
9Since `harp` compiles web projects reading, writing, and deleting files is not
10unexpected behavior and therefore is not a vulnerability in `harp`. Please only
11submit file system conerns if you believe behaviour exists that is not intended
12by the design of the software.
13
14### Reporting vulnerabilities
15
16Please email reports about any security related issues you find to
17`brock@sintaxi.com`. Please use a descriptive subject line for your report
18email. It's appreceated if you include a patch that fixes the security issue -
19though that is not required.
20
21In addition, please include the following information along with your report:
22
23* Your name and affiliation (if any).
24* A description of the technical details of the vulnerabilities. It is very
25  important to include details on how how we can reproduce your findings.
26* An explanation who can exploit this vulnerability, and what they gain when
27  doing so -- write an attack scenario. This will help us evaluate your report
28  quickly, especially if the issue is complex.
29* Whether this vulnerability public or known to third parties. If it is, please
30  provide details.
31
32If you believe that an existing (public) issue is security-related, please send
33an email to `brock@sintaxi.com`. The email should include the issue ID and a
34short description of why it should be handled according to this security policy.
35
36Once an issue is reported, `harp` uses the following process:
37
38* When a report is received, we will determine its severity.
39* Wherever possible, fixes are prepared for the last minor release of the two
40  latest major releases, as well as the master branch. We will attempt to commit
41  these fixes as soon as possible, and as close together as possible.

1	## Vulnerabilities in `harp`
2
3	It is possible that `harp` or its dependent libraries contain vulnerabilities
4	`that would allow triggering unexpected or dangerous behavior with specially`
5	`crafted inputs.`
6
7	`### What is a vulnerability?`
8
9	Since `harp` compiles web projects reading, writing, and deleting files is not
10	unexpected behavior and therefore is not a vulnerability in `harp`. Please only
11	`submit file system conerns if you believe behaviour exists that is not intended`
12	`by the design of the software.`
13
14	`### Reporting vulnerabilities`
15
16	`Please email reports about any security related issues you find to`
17	`brock@sintaxi.com`. Please use a descriptive subject line for your report
18	`email. It's appreceated if you include a patch that fixes the security issue -`
19	`though that is not required.`
20
21	`In addition, please include the following information along with your report:`
22
23	`* Your name and affiliation (if any).`
24	`* A description of the technical details of the vulnerabilities. It is very`
25	`important to include details on how how we can reproduce your findings.`
26	`* An explanation who can exploit this vulnerability, and what they gain when`
27	`doing so -- write an attack scenario. This will help us evaluate your report`
28	`quickly, especially if the issue is complex.`
29	`* Whether this vulnerability public or known to third parties. If it is, please`
30	`provide details.`
31
32	`If you believe that an existing (public) issue is security-related, please send`
33	an email to `brock@sintaxi.com`. The email should include the issue ID and a
34	`short description of why it should be handled according to this security policy.`
35
36	Once an issue is reported, `harp` uses the following process:
37
38	`* When a report is received, we will determine its severity.`
39	`* Wherever possible, fixes are prepared for the last minor release of the two`
40	`latest major releases, as well as the master branch. We will attempt to commit`
41	`these fixes as soon as possible, and as close together as possible.`