docs: add SECURITY.md with private vulnerability reporting policy#651
Merged
Conversation
Add a top-level SECURITY.md so GitHub's Security tab points reporters at private vulnerability reporting instead of a public issue or PR. Scope it to dbus-fast's actual attack surface: crafted D-Bus messages / type signatures hitting the marshaller, unmarshaller, signature parser, and address parser; SASL auth flaws in auth.py; dispatch bugs in message_bus / service that expose or reply to something they shouldn't; build / packaging pipeline. Out-of-scope items are documented (D-Bus access control is dbus-daemon's job, not the library's). Cross-reference the policy from CLAUDE.md so LLM-assisted contributions route reports the same way.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #651 +/- ##
=======================================
Coverage 88.53% 88.53%
=======================================
Files 29 29
Lines 3488 3488
Branches 602 602
=======================================
Hits 3088 3088
Misses 248 248
Partials 152 152 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a
SECURITY.mdthat directs vulnerability reports through GitHub's private vulnerability reporting, so reporters have a documented private channel and aren't tempted to open a public issue or PR. Cross-reference the policy fromCLAUDE.mdso future LLM-assisted contributions route reports the same way. Modeled on python-zeroconf#1675.Details
SECURITY.md— top-level file (where GitHub's Security tab looks for it). Names the supported channel, supported versions (latest4.x), and an in-scope / out-of-scope list grounded indbus-fast's actual attack surface:_private/unmarshaller.py,_private/marshaller.py,signature.py,_private/address.py.auth.py(EXTERNAL / ANONYMOUS / DBUS_COOKIE_SHA1).message_bus.py,aio/message_bus.py,service.pythat expose or reply to something they shouldn't.build_ext.py,TO_CYTHONIZE, wheel contents, signed-release flow).dbus-daemon's own policy (D-Bus access control is the daemon's job), runningdbus-daemonover an unauthenticated TCP transport, or consumer-side misuse of the API.CLAUDE.md— new## Reporting security issuessection between## Build conventionsand## Useful entry points. Tells the LLM contributor not to open a public issue, PR, or commit naming the bug class and the affected code path when a user describes a suspected vulnerability; instead, point them atSECURITY.md/ the private-reporting URL.Test plan
SECURITY.mdis discoverable via GitHub's Security tab after merge (/security/policyresolves)./security/advisories/new.lintandcommitlintjobs are green.🤖 Generated with Claude Code