diff --git a/README.md b/README.md index ee05686d..9a60b5c9 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,10 @@ Alternatively, lock out the credential based on incorrect attempts. - authenticator-rs - webauthn-rs +# Security Policy + +See [SECURITY.md](/SECURITY.md) for our security policy. + # License See the [LICENSE.md](LICENSE.md) file for license rights and limitations (LGPL-3.0-only). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..9b48eb13 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,84 @@ +# credentialsd Security Policy + +Since this project handles very sensitive data, we, the maintainers of +credentialsd, take security seriously. This policy outlines our intentions for +addressing security issues and practices for security researchers investigating +this project. + +## Submitting Vulnerability Reports + +If you have discovered a security vulnerability in this project, please report it +to us privately via the process below. + +We use GitHub for private vulnerability disclosure. To report a vulnerability: + +1. Go to [Security > Advisories > New draft security advisory][new-advisory]. +2. Fill out the report and submit the draft. +3. The maintainers will be privately notified about the advisory and get back to + you. + +[new-advisory]: https://github.com/linux-credentials/credentialsd/security/advisories/new + +## Expected Response + +We aim to acknowledge the receipt of the report as soon as possible and will +work with you. We seek to investigate issues within 30 days. + +If the issue is confirmed upon investigation, we will collaborate with you to +remediate the vulnerability. Depending on the severity or developer +availability, we may request more time to remediate the issue before +public disclosure. + +# Supported Releases + +We only support the latest published release. We may backport patches when +possible to help users running on distributions that package older versions of +our software. + +# Threat Model + +We do not currently have a formally defined threat model; we will continue to +document it over time. However, the basic security guarantees we would like to +achieve are defined below. + +Please note, that if you believe you have discovered a security problem outside +of this scope, we still want to know about it! We would still like to discuss +the issue privately, but we may decide to address it beyond the response +time described above. + +## Definitons + +- _privileged client_: A client that is allowed to make requests for credentials + for any origin. +- _unprivileged client_: A client that is allowed to make requests for + credentials for only a preconfigured set of origins. + +## Scope + +Here is the current list of items that are in scope: + +- Privileged clients may request credentials via this service[^1] for any origin. +- The list of privileged clients cannot change without: + - `root` privileges, or + - user consent[^2] +- The list of unprivileged clients cannot change without: + - `root` privileges, or + - user consent[^2] + +We implicitly trust the kernel and D-Bus, so any attacks that exploit those are +out of scope for this project. + +Some other attacks that are explicitly out of scope are those that require: + +- physical access +- direct access to authenticators +- root privilege escalation + +[^1]: + Various systems may allow users to interact with authenticators directly + (e.g. allowing unrestricted permission to USB devices or Bluetooth service + data), so those are out of scope. + +[^2]: + In the future we may offer a stricter guarantee that privileged clients + must include permission in application metadata signed by a trusted party.