|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +Slack takes the security of its software and services seriously, including all open-source repositories managed through the [slackapi](https://github.com/slackapi) GitHub organization. |
| 4 | + |
| 5 | +## Reporting a Vulnerability |
| 6 | + |
| 7 | +**Do NOT report security vulnerabilities through public GitHub issues, pull requests, or discussions.** |
| 8 | + |
| 9 | +If you believe you have found a security vulnerability in `slack_sdk`, please report it through the Slack bug bounty program on HackerOne: |
| 10 | + |
| 11 | +**<https://hackerone.com/slack>** |
| 12 | + |
| 13 | +Even if `slack_sdk` is not explicitly listed as an in-scope asset on the HackerOne program page, reports for vulnerabilities in this package should still be submitted there. The Slack security team triages reports for all `slackapi` open-source repositories through this program. |
| 14 | + |
| 15 | +If HackerOne is inaccessible, you may alternatively report the issue to [security@salesforce.com](mailto:security@salesforce.com). |
| 16 | + |
| 17 | +Please do not discuss potential vulnerabilities in public without first coordinating with the security team. |
| 18 | + |
| 19 | +## What to Include |
| 20 | + |
| 21 | +To help us triage and respond quickly, please include: |
| 22 | + |
| 23 | +- Type of vulnerability (e.g., signature bypass, token leakage, denial of service) |
| 24 | +- Affected version(s) of `slack_sdk` |
| 25 | +- Step-by-step reproduction instructions |
| 26 | +- Proof-of-concept code or payloads, if available |
| 27 | +- Impact assessment: what an attacker could achieve |
| 28 | +- Any specific configuration required to trigger the vulnerability |
| 29 | +- Affected source file paths, if known |
| 30 | + |
| 31 | +## Threat Model |
| 32 | + |
| 33 | +The Python Slack SDK is a collection of client libraries for interacting with Slack's APIs. It provides utilities for request signature verification, OAuth token management and storage, and real-time WebSocket communication via Socket Mode. The security boundary covers the safe handling of credentials, the integrity of cryptographic verification, and the confidentiality of data in transit and at rest. |
| 34 | + |
| 35 | +### In Scope |
| 36 | + |
| 37 | +The following are considered SDK vulnerabilities: |
| 38 | + |
| 39 | +- Bypass of request signature verification (HMAC-SHA256 validation in `slack_sdk.signature`) |
| 40 | +- Token or credential leakage through logs, error messages, HTTP headers, or unintended network requests |
| 41 | +- OAuth state parameter validation bypass or CSRF vulnerabilities in the authorization flow (`slack_sdk.oauth`) |
| 42 | +- Cross-tenant token exposure or installation data leakage in built-in installation stores |
| 43 | +- Token storage vulnerabilities in any built-in installation store or state store backend |
| 44 | +- Failure to enforce TLS for connections to Slack's APIs (Web API, WebSocket, or webhook endpoints) |
| 45 | +- WebSocket connection hijacking or man-in-the-middle vulnerabilities in Socket Mode clients |
| 46 | +- Denial of service caused by malformed API responses or WebSocket frames that crash or hang the client |
| 47 | +- Information disclosure through SDK error responses or timing side channels |
| 48 | +- Insecure default configurations that could lead to credential exposure |
| 49 | + |
| 50 | +### Out of Scope |
| 51 | + |
| 52 | +The following are NOT SDK vulnerabilities: |
| 53 | + |
| 54 | +- Vulnerabilities in the Python runtime, operating system, or hosting infrastructure |
| 55 | +- Security issues in Slack's server-side platform infrastructure (report those directly under Slack's main HackerOne scope) |
| 56 | +- Vulnerabilities in third-party PyPI packages chosen and installed by the developer outside of this SDK's direct dependencies (e.g., aiohttp, websockets, SQLAlchemy, boto3) |
| 57 | +- Security issues in developer application logic built on top of the SDK (e.g., storing tokens insecurely in application code) |
| 58 | +- Attacks that require possession of valid tokens or signing secrets (the SDK assumes credentials provided to it are confidential) |
| 59 | +- Rate limiting or resource exhaustion on Slack's servers caused by legitimate API usage |
| 60 | +- Issues that only affect end-of-life Python versions with no reproduction on supported versions |
| 61 | +- Security of custom API base URLs configured by the developer for testing or proxying |
| 62 | + |
| 63 | +## Disclosure Policy |
| 64 | + |
| 65 | +This project follows coordinated disclosure: |
| 66 | + |
| 67 | +- Allow a reasonable timeframe for the team to investigate, develop, and release a fix before any public disclosure. |
| 68 | +- Researchers who follow responsible disclosure practices are eligible for recognition and bounty consideration through the Slack HackerOne program. |
0 commit comments