Skip to content

Commit

Permalink
Added security policy (#3070)
Browse files Browse the repository at this point in the history
  • Loading branch information
RunDevelopment authored Jul 27, 2022
1 parent 866b302 commit 05ee042
Showing 1 changed file with 51 additions and 0 deletions.
51 changes: 51 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Security Policy

## What is considered a vulnerability?

There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead.
All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed.

Please see the below section on how we treat [ReDoS] vulnerabilities.

If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below).

### ReDoS

Prism is a regex-based syntax highlighter.
As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes.

However, not all ReDoS is created equal.
A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n<sup>2</sup>)_ to _2<sup>O(n)</sup>_.
This matters because a worst-case time complexity _≥ O(n<sup>3</sup>)_ is a [high severity][severity] vulnerability while _O(n<sup>2</sup>)_ is low or medium severity in the context of Prism.
Furthermore, worst-case time complexities of _O(n<sup>2</sup>)_ can have 2 different causes: backtracking or moving.
Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases).

Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n<sup>2</sup>)_ caused by moving as regular bugs and not as vulnerabilities.
Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities.

If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below).


## Reporting a Vulnerability

***DO NOT CREATE AN ISSUE*** to report a vulnerability.

Instead, please send an email to at least one of [Prism's maintainers](MAINTAINERS.md).
See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details.

### Procedure

1. After you send an email [a maintainer](MAINTAINERS.md), you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days.

We may require further information, so please keep in touch with us until the vulnerability has been fixed.

2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix.

You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account).
At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability).

3. After the fix has been merged, we will make a new release and publish the security advisory within one week.


[ReDoS]: https://en.wikipedia.org/wiki/ReDoS
[severity]: https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/

0 comments on commit 05ee042

Please sign in to comment.