From 34e5fdee4e5e43b8563e6e02b8bdc94c083b2f47 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 14 Nov 2014 19:14:13 +0000 Subject: README, HACKING: add some brief notes on reporting security vulnerabilities We now have a private mailing list that can be the security contact. --- HACKING | 5 +++++ README | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/HACKING b/HACKING index 8c993b66..2fed9e6c 100644 --- a/HACKING +++ b/HACKING @@ -11,6 +11,11 @@ of patches, etc. should go there. Security === +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-security@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group". + Most of D-Bus is security sensitive. Guidelines related to that: - avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(), diff --git a/README b/README index aea83300..0257e69d 100644 --- a/README +++ b/README @@ -29,6 +29,25 @@ If your use-case isn't one of these, D-Bus may still be useful, but only by accident; so you should evaluate carefully whether D-Bus makes sense for your project. +Security +== + +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-security@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group" (you might need to "Show +Advanced Fields" to have that option). + +On Unix systems, the system bus (dbus-daemon --system) is designed +to be a security boundary between users with different privileges. + +On Unix systems, the session bus (dbus-daemon --session) is designed +to be used by a single user, and only accessible by that user. + +We do not currently consider D-Bus on Windows to be security-supported, +and we do not recommend allowing untrusted users to access Windows +D-Bus via TCP. + Note: low-level API vs. high-level binding APIs === -- cgit v1.2.3