|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## What is considered a vulnerability? |
| 4 | + |
| 5 | +There are some types of [low-severity][severity] vulnerabilities that we will not acknowledge as CVE and treat as bugs instead. |
| 6 | +All vulnerabilities with a severity of medium and above will of course be acknowledged and fixed. |
| 7 | + |
| 8 | +Please see the below section on how we treat [ReDoS] vulnerabilities. |
| 9 | + |
| 10 | +If you are unsure whether a vulnerability you found qualifies, please report it as a vulnerability via email (see below). |
| 11 | + |
| 12 | +### ReDoS |
| 13 | + |
| 14 | +Prism is a regex-based syntax highlighter. |
| 15 | +As such, the main types of vulnerabilities reported to us are [ReDoS] vulnerabilities ([CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)), aka slow regexes. |
| 16 | + |
| 17 | +However, not all ReDoS is created equal. |
| 18 | +A slow regex can be have a [worst-case time complexity](https://en.wikipedia.org/wiki/Time_complexity) anywhere from _O(n<sup>2</sup>)_ to _2<sup>O(n)</sup>_. |
| 19 | +This matters because a worst-case time complexity _≥ O(n<sup>3</sup>)_ is a [high severity][severity] vulnerability while _O(n<sup>2</sup>)_ is low or medium severity in the context of Prism. |
| 20 | +Furthermore, worst-case time complexities of _O(n<sup>2</sup>)_ can have 2 different causes: backtracking or moving. |
| 21 | +Backtracking is always fixable by rewriting the slow regex but moving is not (except in special cases). |
| 22 | + |
| 23 | +Because of their lower severity and the fact that moving is difficult or impossible to fix, we will treat regexes with worst-case time complexity of _O(n<sup>2</sup>)_ caused by moving as regular bugs and not as vulnerabilities. |
| 24 | +Please report them as [bugs](https://github.com/PrismJS/prism/issues/new/choose) instead of as vulnerabilities. |
| 25 | + |
| 26 | +If you found a slow regex but are unsure about the worst-case time complexity or its cause, please report it as a vulnerability via email (see below). |
| 27 | + |
| 28 | + |
| 29 | +## Reporting a Vulnerability |
| 30 | + |
| 31 | +***DO NOT CREATE AN ISSUE*** to report a vulnerability. |
| 32 | + |
| 33 | +Instead, please send an email to at least one of [Prism's maintainers](MAINTAINERS.md). |
| 34 | +See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details. |
| 35 | + |
| 36 | +### Procedure |
| 37 | + |
| 38 | +1. After you send an email [a maintainer](MAINTAINERS.md), you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days. |
| 39 | + |
| 40 | + We may require further information, so please keep in touch with us until the vulnerability has been fixed. |
| 41 | + |
| 42 | +2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix. |
| 43 | + |
| 44 | + You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account). |
| 45 | + At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability). |
| 46 | + |
| 47 | +3. After the fix has been merged, we will make a new release and publish the security advisory within one week. |
| 48 | + |
| 49 | + |
| 50 | +[ReDoS]: https://en.wikipedia.org/wiki/ReDoS |
| 51 | +[severity]: https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/ |
0 commit comments