Merge in some changes to the documented security policy.

michaelrsweet · michaelrsweet · commit 18a8a7112457 · 2026-03-31T13:26:31.000-04:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,23 +1,9 @@
 Security Policy
 ===============
 
-This file describes how security issues are reported and handled, and what the
-expectations are for security issues reported to this project.
-
-
-Responsible Disclosure
-----------------------
-
-With *responsible disclosure*, a security issue (and its fix) is disclosed only
-after a mutually-agreed period of time (the "embargo date").  The issue and fix
-are shared amongst and reviewed by the key stakeholders (Linux distributions,
-OS vendors, etc.) and the CERT/CC.  Fixes are released to the public on the
-agreed-upon date.
-
-> Responsible disclosure applies only to production releases.  A security
-> vulnerability that only affects unreleased code can be fixed immediately
-> without coordination.  Vendors *should not* package and release unstable
-> snapshots, beta releases, or release candidates of this software.
+This file describes how security issues are reported and handled by
+OpenPrinting, and what the expectations are for security issues reported to
+this project.
 
 
 Supported Versions
@@ -49,25 +35,59 @@ example:
     1.0b2
     1.0rc1
 
+> *Note:* This security policy only applies to production releases.  A security
+> vulnerability that only affects unreleased code will be fixed immediately
+> without coordination.  Vendors *should not* package and release unstable
+> snapshots, beta releases, or release candidates of this software.
+
+
+Is the Issue a Bug or a Security Vulnerability?
+-----------------------------------------------
+
+OpenPrinting has defined criteria for identifying whether issues are handled as
+regular project bugs or as security vulnerabilities that use the "Reporting a
+Vulnerability" process below.
 
-Reporting a Vulnerability
--------------------------
+The following kinds of issues are generally treated as security vulnerabilities
+by OpenPrinting:
 
-Github supports private security advisories and OpenPrinting CUPS enabled
-their usage, report all security issue via them. Reporters can file a security
-advisory by clicking on `New issue` at tab `Issues` and choose
-`Report a vulnerability`.  Provide details, impact, reproducer, affected
-versions, workarounds and patch for the vulnerability if there are any and
-estimate severity when creating the advisory.
+- Daemon/service crashes/hangs caused by a network request,
+- Remote code execution code via software provided by OpenPrinting,
+- Privilege escalation that allows unauthorized actions or information
+  disclosure,
+- Common weaknesses (buffer overflow, divide-by-zero, input validation,
+  use-after-free, etc.) that lead to a demonstrated (not theoretical) exploit.
 
-Expect a response within 5 business days.
+The following kinds of issues are generally treated as regular bugs by
+OpenPrinting:
+
+- Vulnerabilities caused by mis-configuration
+- Issues caused by incorrect API usage
+- Issues that only exist in non-production software
+
+Regular bugs should be reported to the project using the GitHub (public) issue
+tracker page at <https://github.com/OpenPrinting/cups/issues>.
+
+
+Reporting a Security Vulnerability
+----------------------------------
+
+Vulnerabilities should be reported to the project using the GitHub (private)
+security advisory page at
+<https://github.com/OpenPrinting/cups/security/advisories>.
+
+Provide details, impact, reproducer, affected versions, workarounds, and a patch
+for the vulnerability, if applicable.
+
+You can expect a response within 5 business days.
 
 
 How We Respond to Vulnerability Reports
 ---------------------------------------
 
-First, we take every report seriously.  There are (conservatively) over a
-billion systems using CUPS, so any security issue can affect a lot of people.
+First, we take every report seriously.  There are (conservatively) several
+billion devices/systems using CUPS, so any security issue can affect a lot of
+people.
 
 Members of the OpenPrinting security team will try to verify/reproduce the
 reported issues in a timely fashion.  Please keep in mind that many members of
@@ -84,6 +104,13 @@ scope of the issue.  We assess vulnerabilities based on our supported platforms
 and common configurations because we need to be able to test and verify issues
 and fixes on those supported platforms.
 
+> *Note:* GitHub uses CVSS base metrics which require the default configuration
+> of the affected project.  This is most important for the attack vector metric
+> in CVSS because the default cupsd configuration only listens on the loopback
+> and domain socket addresses.
+
+The final CVSS score determines how the vulnerability is disclosed.
+
 Similar issues (if multiple vulnerabilities are reported) will be combined if
 they share a common root cause.  We don't mean any disrespect by doing this, we
 just want to make sure your issues are truly and efficiently addressed in full.
@@ -92,10 +119,23 @@ Once we have verified things, we will work towards providing a fix as quickly
 as possible.  Fixes are typically developed against the "master" branch, then
 backported as needed to cover shipping CUPS releases on our supported platforms.
 
-Once we have the fixes ready, we request a CVE, coordinate an embargo date, and
-announce it on `distros@vs.openwall.org` mailing list.  The embargo period is
-typically 7-10 days long but can be longer.
 
-The embargo starts a flurry of activity - hundred of developers supporting every
-Linux distribution, the various BSD flavors, macOS, and ChromeOS will queue up
-the security updates for their respective OS releases on the embargo date.
+Responsible Disclosure
+----------------------
+
+With *responsible disclosure*, the issue and its fixes are shared amongst and
+reviewed by the key stakeholders (Linux distributions, OS vendors, etc. on the
+`distros@vs.openwall.org` mailing list) and the CERT/CC.  OpenPrinting requests
+a CVE when we have agreed-upon fixes ready.
+
+If the final CVSS score is 7 or more, or if a key stakeholder requests it,
+OpenPrinting coordinates a mutually-agreed period of time (the "embargo date")
+for when the fixes will be released.  Otherwise, the fixes are pushed to the
+public repository immediately and included in a subsequent production release
+when convenient.
+
+> *Note:* An embargo starts a flurry of activity.  Hundreds of developers
+> supporting every Linux distribution, the various BSD flavors, macOS, and
+> ChromeOS queue up security updates for their respective OS releases on the
+> embargo date.  OpenPrinting wants to limit the embargo process to high
+> severity issues to better manage limited developer resources.
