|
| 1 | +# Security Policies |
| 2 | + |
| 3 | +This document defines bitmath's policies for handling findings from |
| 4 | +Software Composition Analysis (SCA), Static Application Security |
| 5 | +Testing (SAST), and license compliance scanning. It exists so |
| 6 | +downstream consumers can understand the project's commitments and so |
| 7 | +future maintainers can apply the policies consistently. |
| 8 | + |
| 9 | +The threat model that motivates these policies is in |
| 10 | +[SECURITY_ASSESSMENT.md](SECURITY_ASSESSMENT.md). The vulnerability |
| 11 | +reporting process is in [SECURITY.md](SECURITY.md). The release |
| 12 | +verification process is in [VERIFICATION.md](VERIFICATION.md). The |
| 13 | +workflows that enforce these policies live in `.github/workflows/`. |
| 14 | + |
| 15 | +## Software Composition Analysis (SCA) |
| 16 | + |
| 17 | +SCA covers known vulnerabilities and license compliance in |
| 18 | +bitmath's dependencies. Because bitmath has **zero runtime |
| 19 | +dependencies** (verifiable in `pyproject.toml`), the operational |
| 20 | +scope of SCA is the development dependency set listed in |
| 21 | +`requirements.txt`. |
| 22 | + |
| 23 | +### Tools |
| 24 | + |
| 25 | +* **Dependabot** opens pull requests for dependency updates and |
| 26 | + surfaces known vulnerabilities. Configured in |
| 27 | + `.github/dependabot.yml`. |
| 28 | +* **pip-audit** runs on every push and pull request via |
| 29 | + `.github/workflows/sca.yml` against `requirements.txt`. The |
| 30 | + workflow is a required status check on `master`. |
| 31 | +* **GitHub secret scanning** (enabled at the repository level) |
| 32 | + catches credentials accidentally committed to the repository. |
| 33 | + |
| 34 | +### Remediation Thresholds |
| 35 | + |
| 36 | +Severity ratings follow the CVSS score reported by the SCA tool. |
| 37 | +The remediation clock starts when the finding becomes visible in |
| 38 | +the project (Dependabot alert or `pip-audit` CI failure). |
| 39 | + |
| 40 | +| Severity | CVSS range | Action | Timeline | |
| 41 | +|----------|-----------|--------|----------| |
| 42 | +| Critical | 9.0 – 10.0 | Patch or replace the affected dependency. Block any release until remediated. | Within 7 days of disclosure | |
| 43 | +| High | 7.0 – 8.9 | Patch or replace the affected dependency. Block release if the next release is within 30 days; otherwise remediate before that release. | Within 30 days of disclosure | |
| 44 | +| Medium | 4.0 – 6.9 | Patch when the next dependency update naturally cycles through. | Within 90 days | |
| 45 | +| Low | 0.1 – 3.9 | Patch opportunistically. | Best effort | |
| 46 | + |
| 47 | +A finding may be suppressed only when it is demonstrably |
| 48 | +non-exploitable in bitmath's usage of the dependency. Suppression is |
| 49 | +documented inline in the SCA workflow configuration with a comment |
| 50 | +explaining why. |
| 51 | + |
| 52 | +### Release Blocking |
| 53 | + |
| 54 | +A release of bitmath **MUST NOT** ship while a Critical or High SCA |
| 55 | +finding against a dev dependency is unaddressed, unless the finding |
| 56 | +has been formally suppressed as non-exploitable per the rule above. |
| 57 | +The `.github/workflows/sca.yml` status check enforces this on the |
| 58 | +merge path; the release process (see |
| 59 | +[ARCHITECTURE.md](ARCHITECTURE.md)) is gated by the same branch |
| 60 | +protection. |
| 61 | + |
| 62 | +### License Compliance |
| 63 | + |
| 64 | +All direct dependencies must use a license listed as |
| 65 | +[OSI-approved](https://opensource.org/licenses) or |
| 66 | +[FSF-approved](https://www.gnu.org/licenses/license-list.html). |
| 67 | +Today every dev dependency uses MIT, Apache 2.0, or BSD. Adding a |
| 68 | +new dev dependency that introduces a copyleft license (GPL, AGPL, |
| 69 | +LGPL) requires explicit consideration before being merged; the PR |
| 70 | +that introduces it must document the decision in the description. |
| 71 | + |
| 72 | +## Static Application Security Testing (SAST) |
| 73 | + |
| 74 | +SAST covers security weaknesses in bitmath's own source code. |
| 75 | + |
| 76 | +### Tools |
| 77 | + |
| 78 | +* **Bandit** scans `bitmath/` and `tests/` for common Python |
| 79 | + security smells. Runs on every push and pull request via |
| 80 | + `.github/workflows/bandit.yml`. Required status check. |
| 81 | +* **CodeQL** performs semantic analysis for Python vulnerabilities. |
| 82 | + Runs on every push, pull request, and weekly via |
| 83 | + `.github/workflows/codeql.yml`. Required status check. |
| 84 | +* **OSSF Scorecard** performs a weekly meta-analysis of repository |
| 85 | + security posture. Reports to the GitHub Security tab. |
| 86 | + |
| 87 | +### Remediation Thresholds |
| 88 | + |
| 89 | +| Severity | Action | Timeline | |
| 90 | +|----------|--------|----------| |
| 91 | +| High | Fix in the next patch release. Block any merge that introduces a new High finding. | Within 7 days for existing findings; immediately for new ones | |
| 92 | +| Medium | Fix in the next minor release. | Within 30 days | |
| 93 | +| Low | Address in the normal development cycle. | Best effort | |
| 94 | +| Informational | Triage and either fix or suppress with a justifying comment. | Best effort | |
| 95 | + |
| 96 | +A finding may be suppressed only when it is a true false positive. |
| 97 | +The suppression must include a `# nosec` comment with an inline |
| 98 | +justification (Bandit) or a `# lgtm[py/...]` annotation (CodeQL) |
| 99 | +explaining the rationale. The justification should be specific |
| 100 | +enough that a future maintainer can re-evaluate the suppression |
| 101 | +without re-deriving the analysis. |
| 102 | + |
| 103 | +### Release Blocking |
| 104 | + |
| 105 | +A release of bitmath **MUST NOT** ship while any High SAST finding |
| 106 | +against the project's own code is unaddressed, unless the finding is |
| 107 | +formally suppressed as a false positive per the rule above. The |
| 108 | +Bandit and CodeQL required status checks enforce this on the merge |
| 109 | +path. |
| 110 | + |
| 111 | +## Review and Updates |
| 112 | + |
| 113 | +This policy is reviewed at every minor release. The contract: |
| 114 | + |
| 115 | +* A new SAST or SCA tool added to CI → update the corresponding |
| 116 | + Tools section. |
| 117 | +* A change to remediation thresholds or release-blocking rules → |
| 118 | + update the corresponding table and re-state the rationale in the |
| 119 | + commit message. |
| 120 | +* A suppression added in code → also add a brief justification in |
| 121 | + the suppression comment so the rationale survives the next |
| 122 | + review. |
| 123 | + |
| 124 | +If this policy drifts out of sync with what the workflows actually |
| 125 | +enforce, that is a defect worth [opening an |
| 126 | +issue](https://github.com/timlnx/bitmath/issues/new) or a PR. |
0 commit comments