1 | ## Vulnerabilities in `harp`
|
2 |
|
3 | It is possible that `harp` or its dependent libraries contain vulnerabilities
|
4 | that would allow triggering unexpected or dangerous behavior with specially
|
5 | crafted inputs.
|
6 |
|
7 | ### What is a vulnerability?
|
8 |
|
9 | Since `harp` compiles web projects reading, writing, and deleting files is not
|
10 | unexpected behavior and therefore is not a vulnerability in `harp`. Please only
|
11 | submit file system conerns if you believe behaviour exists that is not intended
|
12 | by the design of the software.
|
13 |
|
14 | ### Reporting vulnerabilities
|
15 |
|
16 | Please email reports about any security related issues you find to
|
17 | `brock@sintaxi.com`. Please use a descriptive subject line for your report
|
18 | email. It's appreceated if you include a patch that fixes the security issue -
|
19 | though that is not required.
|
20 |
|
21 | In addition, please include the following information along with your report:
|
22 |
|
23 | * Your name and affiliation (if any).
|
24 | * A description of the technical details of the vulnerabilities. It is very
|
25 | important to include details on how how we can reproduce your findings.
|
26 | * An explanation who can exploit this vulnerability, and what they gain when
|
27 | doing so -- write an attack scenario. This will help us evaluate your report
|
28 | quickly, especially if the issue is complex.
|
29 | * Whether this vulnerability public or known to third parties. If it is, please
|
30 | provide details.
|
31 |
|
32 | If you believe that an existing (public) issue is security-related, please send
|
33 | an email to `brock@sintaxi.com`. The email should include the issue ID and a
|
34 | short description of why it should be handled according to this security policy.
|
35 |
|
36 | Once an issue is reported, `harp` uses the following process:
|
37 |
|
38 | * When a report is received, we will determine its severity.
|
39 | * Wherever possible, fixes are prepared for the last minor release of the two
|
40 | latest major releases, as well as the master branch. We will attempt to commit
|
41 | these fixes as soon as possible, and as close together as possible.
|