autoconf-archive/ax_prog_python_version.m4 \
autoconf-archive/ax_compare_version.m4 \
NEWS README LICENSE.txt license-change-2020.txt \
-COMPILING COMMIT-LOG-GUIDELINES VISIBILITY \
+COMPILING COMMIT-LOG-GUIDELINES VISIBILITY SECURITY \
ChangeLog gen-changelog.py \
$(headers) $(m4data_DATA) \
libabigail.pc.in
--- /dev/null
+The libabigail library and utilities aim to be generally robust and
+reliable. However, libabigail routinely processes complex binary
+structured data. This makes the code intricate and sometimes brittle.
+While libabigail developers use a variety of static and dynamic checker
+software (valgrind, sanitizers) in testing, bugs may remain. Some of
+these bugs may have security-related implications.
+
+
+While many errors are cleanly detected at runtime, it is possible that
+vulnerabilities exist that could be exploitable. These may arise from
+crafted / fuzzed / erroneous inputs, or perhaps even from valid inputs
+with unforseen characteristics. Therefore, to minimize risks, users
+of libabigail tools and libraries should consider measures such as:
+
+- avoiding running complex libabigail analysis on untrustworthy inputs
+- avoiding running libabigail tools as privileged processes
+- applying common platform level protection mechanisms such as
+ selinux, syscall filtering, hardened compilation, etc.
+
+Since libabigail tools are usually run in short-lived, local,
+interactive, development context rather than remotely "in production",
+we generally treat malfunctions as ordinary bugs rather than security
+vulnerabilities.
+
+Please report bugs via any of:
+- email to <libabigail@sourceware.org>
+- https://sourceware.org/bugzilla/enter_bug.cgi?product=libabigail
+
+After considering the above exclusions, please report suspected
+security vulnerabilities confidentially via any of:
+
+- email to <dodji@seketeli.org>
+- email to <fche@elastic.org>
+- email to <secalert@redhat.com>
git://sourceware.org / libabigail.git / commitdiff