summaryrefslogtreecommitdiffstats
path: root/third_party/jpeg-xl/SECURITY.md
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/jpeg-xl/SECURITY.md')
-rw-r--r--third_party/jpeg-xl/SECURITY.md73
1 files changed, 73 insertions, 0 deletions
diff --git a/third_party/jpeg-xl/SECURITY.md b/third_party/jpeg-xl/SECURITY.md
new file mode 100644
index 0000000000..d03012a63a
--- /dev/null
+++ b/third_party/jpeg-xl/SECURITY.md
@@ -0,0 +1,73 @@
+# Security and Vulnerability Policy for libjxl
+
+## TL;DR:
+
+CPE prefix: `cpe:2.3:a:libjxl_project:libjxl`
+
+To report a security issue, please email libjxl-security@google.com.
+
+Include in your email a description of the issue, the steps you took to create
+the issue, affected versions, and if known, mitigations for the issue. Our
+vulnerability management team will acknowledge receiving your email within 3
+working days.
+
+This project follows a 90 day disclosure timeline.
+
+For all other bugs, where there are no security implications about disclosing
+the unpatched bug, open a [new issue](https://github.com/libjxl/libjxl/issues)
+checking first for existing similar issues. If in doubt about the security
+impact of a bug you discovered, email first.
+
+## Policy overview
+
+libjxl's Security Policy is based on the [Google Open Source program
+guidelines](https://github.com/google/oss-vulnerability-guide) for coordinated
+vulnerability disclosure.
+
+Early versions of `libjxl` had a different security policy that didn't provide
+security and vulnerability disclosure support. Versions up to and including
+0.3.7 are not covered and won't receive any security advisory.
+
+Only released versions, starting from version 0.5, are covered by this policy.
+Development branches, arbitrary commits from `main` branch or even releases with
+backported features externally patched on top are not covered. Only those
+versions with a release tag in `libjxl`'s repository are covered, starting from
+version 0.5.
+
+## What's a "Security bug"
+
+A security bug is a bug that can potentially be exploited to let an attacker
+gain unauthorized access or privileges such as disclosing information or
+arbitrary code execution. Not all fuzzer-found bugs and not all assert()
+failures are considered security bugs in libjxl. For a detailed explanation and
+examples see our [Security Vulnerabilities Playbook](doc/vuln_playbook.md).
+
+## What to expect
+
+To report a security issue, please email libjxl-security@google.com with all the
+details about the bug you encountered.
+
+ * Include a description of the issue, steps to reproduce, etc. Compiler
+ versions, flags, exact version used and even CPU are often relevant given our
+ usage of SIMD and run-time dispatch of SIMD instructions.
+
+ * A member of our security team will reply to you within 3 business days. Note
+ that business days are different in different countries.
+
+ * We will evaluate the issue and we may require more input from your side to
+ reproduce it.
+
+ * If the issue fits in the description of a security bug, we will issue a
+ CVE, publish a fix and make a new minor or patch release with it. There is
+ a maximum of 90 day disclosure timeline, we ask you to not publish the
+ details before the 90 day deadline or the release date (whichever comes
+ first).
+
+ * In the case that we publish a CVE we will credit the external researcher who
+ reported the issue. When reporting security issues please let us know if you
+ need to include specific information while doing so, like for example a
+ company affiliation.
+
+Our security team follows the [Security Vulnerabilities
+Playbook](doc/vuln_playbook.md). For more details about the process and policies
+please take a look at it.