From bcb9a00f2bd7f03828b0d78d54e0c1e8c6d6fa9e Mon Sep 17 00:00:00 2001 From: jremitz Date: Fri, 10 Apr 2026 11:11:42 -0500 Subject: [PATCH] docs: add security policy Documents supported versions, scope, and private vulnerability reporting channel so GitHub surfaces a policy in the Security tab and Community Standards checklist. --- SECURITY.md | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..f479f50 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,84 @@ +# Security Policy + +## Supported Versions + +reeln-core is pre-1.0 software. Security fixes are published against the +latest release only. We recommend always running the most recent version +from the [Releases page](https://github.com/StreamnDad/reeln-core/releases). + +| Version | Supported | +| ------- | ------------------ | +| latest release | :white_check_mark: | +| older | :x: | + +## Scope + +reeln-core is a Rust workspace providing the native backend for the reeln +ecosystem — media processing, overlay rendering, and FFmpeg orchestration. +It is consumed as a library by other reeln components and does not expose +any network listeners of its own. + +In-scope concerns include, but are not limited to: +- Memory safety issues (`unsafe` blocks, FFI boundaries, lifetime misuse) +- Command injection or argument smuggling when constructing `ffmpeg`, + `ffprobe`, or other subprocess invocations +- Filter-graph injection via user-controlled overlay, subtitle, or text + parameters passed to FFmpeg filter strings +- Path traversal or unsafe file handling in render pipelines, cache + directories, or intermediate artifact paths +- Unsafe deserialization of game state, render manifests, or config files + (JSON / TOML) +- Integer overflow, panic-on-untrusted-input, or denial-of-service in + media parsing and overlay rendering code + +Out of scope: +- Vulnerabilities in FFmpeg itself, or in third-party crates — report + those to the respective upstream project +- Vulnerabilities in consumers of reeln-core (`reeln-cli`, `reeln-dock`, + individual plugins) — report those to the respective repository +- Issues that require an attacker to already have local code execution + on the user's machine + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub +issues, discussions, or pull requests.** + +Report vulnerabilities using GitHub's private vulnerability reporting: + +1. Go to the [Security tab](https://github.com/StreamnDad/reeln-core/security) + of this repository +2. Click **"Report a vulnerability"** +3. Fill in as much detail as you can: affected version, reproduction steps, + impact, and any suggested mitigation + +If you cannot use GitHub's reporting, email **git-security@email.remitz.us** +instead. + +### What to include + +A good report contains: +- The version of reeln-core and Rust toolchain you tested against +- Your operating system and architecture (macOS / Windows / Linux, arch) +- Steps to reproduce the issue +- What you expected to happen vs. what actually happened +- The potential impact (memory corruption, code execution, command + injection, denial of service, etc.) +- Any proof-of-concept code, if applicable + +### What to expect + +reeln-core is maintained by a small team, so all timelines below are +best-effort rather than hard guarantees: + +- **Acknowledgement:** typically within a week of your report +- **Initial assessment:** usually within two to three weeks, including + whether we consider the report in scope and our planned next steps +- **Status updates:** roughly every few weeks until the issue is resolved +- **Fix & disclosure:** coordinated with you. We aim to ship a patch + release reasonably quickly for high-severity issues, with lower-severity + issues addressed in a future release. Credit will be given in the + release notes and CHANGELOG unless you prefer to remain anonymous. + +If a report is declined, we will explain why. You are welcome to disagree +and provide additional context.