|
| 1 | +# credentialsd Security Policy |
| 2 | + |
| 3 | +Since this project handles very sensitive data, we, the maintainers of |
| 4 | +credentialsd, take security seriously. This policy outlines our intentions for |
| 5 | +addressing security issues and practices for security researchers investigating |
| 6 | +this project. |
| 7 | + |
| 8 | +## Submitting Vulnerability Reports |
| 9 | + |
| 10 | +If you have discovered a security vulnerability in this project, please report it |
| 11 | +to us privately via the process below. |
| 12 | + |
| 13 | +We use GitHub for private vulnerability disclosure. To report a vulnerability: |
| 14 | + |
| 15 | +1. Go to [Security > Advisories > New draft security advisory][new-advisory]. |
| 16 | +2. Fill out the report and submit the draft. |
| 17 | +3. The maintainers will be privately notified about the advisory and get back to |
| 18 | + you. |
| 19 | + |
| 20 | +[new-advisory]: https://github.com/linux-credentials/credentialsd/security/advisories/new |
| 21 | + |
| 22 | +## Expected Response |
| 23 | + |
| 24 | +We aim to acknowledge the receipt of the report as soon as possible and will |
| 25 | +work with you. We seek to investigate issues within 30 days. |
| 26 | + |
| 27 | +If the issue is confirmed upon investigation, we will collaborate with you to |
| 28 | +remediate the vulnerability. Depending on the severity or developer |
| 29 | +availability, we may request more time to remediate the issue before |
| 30 | +public disclosure. |
| 31 | + |
| 32 | +# Supported Releases |
| 33 | + |
| 34 | +We only support the latest published release. We may backport patches when |
| 35 | +possible to help users running on distributions that package older versions of |
| 36 | +our software. |
| 37 | + |
| 38 | +# Threat Model |
| 39 | + |
| 40 | +We do not currently have a formally defined threat model; we will continue to |
| 41 | +document it over time. However, the basic security guarantees we would like to |
| 42 | +achieve are defined below. |
| 43 | + |
| 44 | +Please note, that if you believe you have discovered a security problem outside |
| 45 | +of this scope, we still want to know about it! We would still like to discuss |
| 46 | +the issue privately, but we may decide to address it beyond the response |
| 47 | +time described above. |
| 48 | + |
| 49 | +## Definitons |
| 50 | + |
| 51 | +- _privileged client_: A client that is allowed to make requests for credentials |
| 52 | + for any origin. |
| 53 | +- _unprivileged client_: A client that is allowed to make requests for |
| 54 | + credentials for only a preconfigured set of origins. |
| 55 | + |
| 56 | +## Scope |
| 57 | + |
| 58 | +Here is the current list of items that are in scope: |
| 59 | + |
| 60 | +- Privileged clients may request credentials via this service[^1] for any origin. |
| 61 | +- The list of privileged clients cannot change without: |
| 62 | + - `root` privileges, or |
| 63 | + - user consent[^2] |
| 64 | +- The list of unprivileged clients cannot change without: |
| 65 | + - `root` privileges, or |
| 66 | + - user consent[^2] |
| 67 | + |
| 68 | +We implicitly trust the kernel and D-Bus, so any attacks that exploit those are |
| 69 | +out of scope for this project. |
| 70 | + |
| 71 | +Some other attacks that are explicitly out of scope are those that require: |
| 72 | + |
| 73 | +- physical access |
| 74 | +- direct access to authenticators |
| 75 | +- root privilege escalation |
| 76 | + |
| 77 | +[^1]: |
| 78 | + Various systems may allow users to interact with authenticators directly |
| 79 | + (e.g. allowing unrestricted permission to USB devices or Bluetooth service |
| 80 | + data), so those are out of scope. |
| 81 | + |
| 82 | +[^2]: |
| 83 | + In the future we may offer a stricter guarantee that privileged clients |
| 84 | + must include permission in application metadata signed by a trusted party. |
0 commit comments