From 826a4f86f746c32833a21d8d35bc4a7707b5dec3 Mon Sep 17 00:00:00 2001 From: DRC Date: Wed, 3 Dec 2025 16:10:15 -0500 Subject: [PATCH] SECURITY.md: Further clarify security adv. policy Use stronger language in hopes that people will actually read it before spamming the security advisory system. If not, then I may be forced to disable private vulnerability reporting entirely. --- .github/SECURITY.md | 39 ++++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 895a4a26..d133006f 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -12,27 +12,40 @@ Vulnerabilities can be reported in one of the following ways: - [E-mail the project admin](https://libjpeg-turbo.org/About/Contact). You can optionally encrypt the e-mail using the provided public GPG key. + - Open a [GitHub draft security advisory](https://github.com/libjpeg-turbo/libjpeg-turbo/security/advisories/new). - Note that security advisories are reserved for security researchers who fully - understand the Common Vulnerability Scoring System (CVSS), Common Weakness - Enumeration (CWE), and Common Vulnerabilities and Exposures (CVE) Program and - who are prepared to demonstrate a known or probable exploit for an issue that - exists in an official release of libjpeg-turbo. For example, if a buffer - overrun, an uninitialized read, or undefined behavior can be triggered by - malformed data passed to a public libjpeg-turbo API function from an - otherwise well-behaved calling program, then it merits investigation as a - potential security issue. If, however, the calling program itself is - malformed and could not work properly with any image, then its inevitable - failure is not a security issue. Such failures can be reported using a - [GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose), - and they will be investigated as potential opportunities for user proofing. + + Note that **ALL** of the following **MUST** be true before opening a draft + security advisory: + + 1. You must be a security researcher who fully understands the Common + Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), + and Common Vulnerabilities and Exposures (CVE) Program. + 2. You must be prepared to demonstrate a known or probable exploit for the + issue. + + For example, if a buffer overrun, an uninitialized read, or + undefined behavior can be triggered by malformed data passed to a public + libjpeg-turbo API function from an otherwise well-behaved calling program, + then it merits investigation as a potential security issue. If, however, + the calling program itself is malformed and could not work properly with + any image, then its inevitable failure is not a security issue. Such + issues will be investigated as potential opportunities for user proofing. + 3. The issue must exist in an official release of libjpeg-turbo. (See + below.) + + If any of those conditions is not true, then report the issue using a + [GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose) + or e-mail. + - [Beta and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning) are not expected to be free of bugs, so vulnerabilities that affect only those release series (for example, vulnerabilities introduced by a new feature that is not present in a Stable release series) can optionally be reported using a [GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose). + Vulnerabilities that affect only [Alpha/Evolving release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning) should always be reported using a