SECURITY: new file

Policy drafted in April 2023.

https://inbox.sourceware.org/elfutils-devel/[email protected]/

Added links to README, and mentioned in configury/spec files for installation.

Signed-off-by: Frank Ch. Eigler <[email protected]>

4 files changed, 60 insertions, 2 deletions

diff --git a/Makefile.am b/Makefile.am
index e92e05c2..41badfd7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,7 +29,7 @@ pkginclude_HEADERS = version.h
 SUBDIRS = config lib libelf libcpu backends libebl libdwelf libdwfl libdw \
 	  libasm debuginfod src po doc tests
 
-EXTRA_DIST = elfutils.spec GPG-KEY NOTES CONTRIBUTING \
+EXTRA_DIST = elfutils.spec GPG-KEY NOTES CONTRIBUTING SECURITY \
 	     COPYING COPYING-GPLV2 COPYING-LGPLV3
 
 # Make sure the test install uses lib64 when $LIB will yield lib64.
diff --git a/README b/README
index 06a9fcd0..690febdf 100644
--- a/README
+++ b/README
@@ -29,3 +29,5 @@ Or use the form at https://sourceware.org/mailman/listinfo/elfutils-devel
 See the CONTRIBUTING file for how to propose patches to the code.
 
 See the NOTES files for some design decisions and notes.
+
+See the SECURITY file for defining and handling security-sensitive bugs.
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 00000000..677802c6
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,56 @@
+
+The elfutils library and utilities aim to be generally robust and
+reliable.  However, elfutils routinely processes complex binary
+structured data.  This makes the code intricate and sometimes brittle.
+While elfutils developers use a variety of static and dynamic checker
+software (valgrind, sanitizers) in testing, bugs may remain.  Some of
+these bugs may have security-related implications.
+
+
+While many errors are cleanly detected at runtime, it is possible that
+vulnerabilities exist that could be exploitable.  These may arise from
+crafted / fuzzed / erroneous inputs, or perhaps even from valid inputs
+with unforseen characteristics.  Therefore, to minimize risks, users
+of elfutils tools and libraries should consider measures such as:
+
+- avoiding running complex elfutils analysis on untrustworthy inputs
+- avoiding running elfutils tools as privileged processes
+- applying common platform level protection mechanisms such as
+  selinux, syscall filtering, hardened compilation, etc.
+
+Since most elfutils tools are run in short-lived, local, interactive,
+development context rather than remotely "in production", we generally
+treat malfunctions as ordinary bugs rather than security vulnerabilities.
+
+
+Elfutils includes one network client/server: debuginfod.  The
+debuginfod man page contains a SECURITY section outlining the general
+risks.  tl;dr: many classes of server problems are delegated to
+front-end proxies and curated elf/dwarf archives of the operator;
+others to careful configuration of the debuginfod client.  These are
+not generally reportable as security vulnerabilities.  However, we are
+likely to accept security vulnerability reports related to:
+
+- availability: e.g., remotely exploitable server crash, but not
+  routine resource exhaustion or overload; client crash due to
+    unexpected valid traffic from trusted server
+
+- confidentiality: e.g., allowing the server to expose one client's
+  traffic to another client
+
+- integrity: e.g., causing the server to send erroneous
+  elf/dwarf/source data across the webapi; causing the client to
+    corrupt its cache to lose file integrity
+
+We welcome reports that are tangential to any of these subjects.
+
+Please report bugs via any of:
+- email to <[email protected]>
+- https://sourceware.org/bugzilla/enter_bug.cgi?product=elfutils
+
+After considering the above exclusions, please report suspected
+security vulnerabilities confidentially via any of:
+
+- email to <[email protected]>
+- email to <[email protected]>
+- email to <[email protected]>
diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in
index 5d56dfca..9277c08f 100644
--- a/config/elfutils.spec.in
+++ b/config/elfutils.spec.in
@@ -233,7 +233,7 @@ fi
 
 %files
 %license COPYING COPYING-GPLV2 COPYING-LGPLV3 doc/COPYING-GFDL
-%doc README TODO CONTRIBUTING
+%doc README TODO CONTRIBUTING SECURITY
 %{_bindir}/eu-addr2line
 %{_bindir}/eu-ar
 %{_bindir}/eu-elfclassify