From 8edccf4fcc736215b7b0477b55eb3efba4121cda Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <isaiah.inuwa@gmail.com>
Date: Wed, 13 Aug 2025 17:06:41 -0500
Subject: [PATCH 1/4] Define security policy

---
 README.md   |  4 +++
 SECURITY.md | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index ee05686d..9a60b5c9 100644
--- a/README.md
+++ b/README.md
@@ -151,6 +151,10 @@ Alternatively, lock out the credential based on incorrect attempts.
 - authenticator-rs
 - webauthn-rs
 
+# Security Policy
+
+See [SECURITY.md](/SECURITY.md) for our security policy.
+
 # License
 
 See the [LICENSE.md](LICENSE.md) file for license rights and limitations (LGPL-3.0-only).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..137b2160
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,72 @@
+# credentialsd Security Policy
+
+This policy outlines our intentions for addressing security issues and practices
+for security researchers investigating this project.
+
+## Submitting Vulnerability Reports
+
+Since this project handles very sensitive data, we take security seriously. If
+you have discovered a security vulnerability in this project, please report it
+to us privately via the process below.
+
+We use GitHub for private vulnerability disclosure. To report a vulnerability:
+
+1. Go to [Security > Advisories > New draft security advisory][new-advisory].
+2. Fill out the report and submit the draft.
+3. The maintainers will be privately notified about the advisory and get back to
+   you.
+
+[new-advisory]: https://github.com/linux-credentials/credentialsd/security/advisories/new
+
+## Expected Response
+
+We will acknowledge the receipt of the report immediately and will work with
+you. We seek to investigate issues within 30 days.
+
+If the issue is confirmed upon investigation, we will collaborate with you to
+remediate the vulnerability. Depending on the severity or developer
+availability, we may request more time to remediate the issue before allowing
+public disclosure.
+
+# Supported Releases
+
+We only support the latest published release. We may backport patches when
+possible to help users running on distributions that package older versions of
+our software.
+
+## Threat Model
+
+We do not currently have a formally defined threat model; we will continue to
+document it over time. However, the basic security guarantees we would like to
+achieve are defined below.
+
+Please note, that if you believe you have discovered a security problem outside
+of this scope, we still want to know about it! We would still like to discuss
+the issue privately, but we may not decide to address it within the response
+time described above.
+
+### Definitons
+
+- _privileged client_: A client that is allowed to make requests for credentials
+  for any origin.
+- _unprivileged client_: A client that is allowed to make requests for
+  credentials for only a preconfigured set of origins.
+
+### Scope
+
+- Privileged clients may request credentials via this service[^1] for any origin.
+- The list of privileged clients cannot change without:
+  - `root` privileges, or
+  - user consent[^2]
+- The list of unprivileged clients cannot change without:
+  - `root` privileges, or
+  - user consent[^2]
+
+[^1]:
+    Various systems may allow users to interact with authenticators directly
+    (e.g. allowing unrestricted permission to USB devices or Bluetooth service
+    data), so those are out of scope.
+
+[^2]:
+    In the future we may offer stricter configuration where privileged clients
+    must include permission metadata be signed by a trusted party.

From 47cc9c09058fb87c62c322c5264b942e70d91e96 Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <isaiah.inuwa@gmail.com>
Date: Thu, 14 Aug 2025 10:42:55 -0500
Subject: [PATCH 2/4] docs: Address security policy feedback

---
 SECURITY.md | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 137b2160..90bf788e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,12 +1,13 @@
 # credentialsd Security Policy
 
-This policy outlines our intentions for addressing security issues and practices
-for security researchers investigating this project.
+Since this project handles very sensitive data, we, the maintainers of
+credentialsd, take security seriously. This policy outlines our intentions for
+addressing security issues and practices for security researchers investigating
+this project.
 
 ## Submitting Vulnerability Reports
 
-Since this project handles very sensitive data, we take security seriously. If
-you have discovered a security vulnerability in this project, please report it
+If you have discovered a security vulnerability in this project, please report it
 to us privately via the process below.
 
 We use GitHub for private vulnerability disclosure. To report a vulnerability:
@@ -34,7 +35,7 @@ We only support the latest published release. We may backport patches when
 possible to help users running on distributions that package older versions of
 our software.
 
-## Threat Model
+# Threat Model
 
 We do not currently have a formally defined threat model; we will continue to
 document it over time. However, the basic security guarantees we would like to
@@ -42,17 +43,17 @@ achieve are defined below.
 
 Please note, that if you believe you have discovered a security problem outside
 of this scope, we still want to know about it! We would still like to discuss
-the issue privately, but we may not decide to address it within the response
+the issue privately, but we may decide to address it beyond the response
 time described above.
 
-### Definitons
+## Definitons
 
 - _privileged client_: A client that is allowed to make requests for credentials
   for any origin.
 - _unprivileged client_: A client that is allowed to make requests for
   credentials for only a preconfigured set of origins.
 
-### Scope
+## Scope
 
 - Privileged clients may request credentials via this service[^1] for any origin.
 - The list of privileged clients cannot change without:
@@ -68,5 +69,5 @@ time described above.
     data), so those are out of scope.
 
 [^2]:
-    In the future we may offer stricter configuration where privileged clients
-    must include permission metadata be signed by a trusted party.
+    In the future we may offer a stricter guarantee that privileged clients
+    must include permission in application metadata signed by a trusted party.

From 07a0d63db29082bea0277d502597e3dfa555cacd Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <isaiah.inuwa@gmail.com>
Date: Thu, 14 Aug 2025 15:44:37 -0500
Subject: [PATCH 3/4] docs: Relax response time and disclosure policy

---
 SECURITY.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 90bf788e..4ab5acb0 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -21,12 +21,12 @@ We use GitHub for private vulnerability disclosure. To report a vulnerability:
 
 ## Expected Response
 
-We will acknowledge the receipt of the report immediately and will work with
-you. We seek to investigate issues within 30 days.
+We aim to acknowledge the receipt of the report as soon as possible and will
+work with you. We seek to investigate issues within 30 days.
 
 If the issue is confirmed upon investigation, we will collaborate with you to
 remediate the vulnerability. Depending on the severity or developer
-availability, we may request more time to remediate the issue before allowing
+availability, we may request more time to remediate the issue before
 public disclosure.
 
 # Supported Releases

From e18a45616e2f5aa50ead216eff921ce0203c4cf9 Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <isaiah.inuwa@gmail.com>
Date: Thu, 14 Aug 2025 15:44:37 -0500
Subject: [PATCH 4/4] docs: Provide examples of out-of-scope vulns

---
 SECURITY.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 4ab5acb0..9b48eb13 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -55,6 +55,8 @@ time described above.
 
 ## Scope
 
+Here is the current list of items that are in scope:
+
 - Privileged clients may request credentials via this service[^1] for any origin.
 - The list of privileged clients cannot change without:
   - `root` privileges, or
@@ -63,6 +65,15 @@ time described above.
   - `root` privileges, or
   - user consent[^2]
 
+We implicitly trust the kernel and D-Bus, so any attacks that exploit those are
+out of scope for this project.
+
+Some other attacks that are explicitly out of scope are those that require:
+
+- physical access
+- direct access to authenticators
+- root privilege escalation
+
 [^1]:
     Various systems may allow users to interact with authenticators directly
     (e.g. allowing unrestricted permission to USB devices or Bluetooth service