Add Security Policy
parent
47b411cf77
commit
d869cfdac6
1 changed files with 93 additions and 0 deletions
93
Security-Policy.md
Normal file
93
Security-Policy.md
Normal file
|
|
@ -0,0 +1,93 @@
|
||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Reporting a vulnerability
|
||||||
|
|
||||||
|
Email **security@lo.sh** with a description and, if possible, a minimal
|
||||||
|
reproduction. Please do **not** file public issues or PRs for security
|
||||||
|
reports — give us a chance to ship a fix before the details are
|
||||||
|
public.
|
||||||
|
|
||||||
|
You can expect an acknowledgement within **72 hours** and a status
|
||||||
|
update (triage outcome, target fix date, coordinated disclosure window)
|
||||||
|
within **7 days**.
|
||||||
|
|
||||||
|
## Supported versions
|
||||||
|
|
||||||
|
Pre-1.0, only the latest 0.1.x patch release receives security fixes.
|
||||||
|
Once 1.0 ships, the current major version plus the immediately
|
||||||
|
preceding major (if still within 6 months of its last release) will
|
||||||
|
receive backported fixes.
|
||||||
|
|
||||||
|
| Version | Status | Receives fixes? |
|
||||||
|
|---------|----------------------|-----------------|
|
||||||
|
| 0.1.x | Current development | Yes |
|
||||||
|
| < 0.1.0 | Not published | — |
|
||||||
|
|
||||||
|
## Disclosure timeline
|
||||||
|
|
||||||
|
Default coordinated-disclosure window is **90 days** from the first
|
||||||
|
response, extendable by mutual agreement if a fix is complex. We'll
|
||||||
|
credit reporters in the security advisory unless they prefer to remain
|
||||||
|
anonymous.
|
||||||
|
|
||||||
|
CVE numbers are requested for any issue that meets the MITRE criteria
|
||||||
|
(i.e. remote, unauthenticated, or affects multiple downstream users).
|
||||||
|
|
||||||
|
## In-scope issues
|
||||||
|
|
||||||
|
LAC is a codec library with a deliberately narrow attack surface. The
|
||||||
|
following are all taken seriously:
|
||||||
|
|
||||||
|
- **Decoder panics on crafted input.** Any byte sequence that causes
|
||||||
|
`decode_frame` / `decode_frame_into` / `parse_header` to panic,
|
||||||
|
abort, hang, or enter an unbounded loop is a security bug. The
|
||||||
|
decoder's contract (spec §6) is "reject cleanly or produce defined
|
||||||
|
output; never panic."
|
||||||
|
- **Encoder misbehaviour on in-contract input.** Any `samples: &[i32]`
|
||||||
|
with `|sample| ≤ 2²³ − 1` that causes `encode_frame` to panic,
|
||||||
|
corrupt memory, or produce a frame that does not round-trip is a
|
||||||
|
security bug. Out-of-contract input (spec §1 violation) is
|
||||||
|
documented to panic; that is not a bug.
|
||||||
|
- **Memory-safety issues.** LAC is `#![forbid(unsafe_code)]` in
|
||||||
|
intent; any path that could trigger undefined behaviour, uninitialised
|
||||||
|
reads, out-of-bounds access, or similar is a critical bug regardless
|
||||||
|
of triggering conditions.
|
||||||
|
- **CPU / memory amplification attacks.** Any input shape that causes
|
||||||
|
the decoder to consume disproportionate CPU or memory relative to
|
||||||
|
input size, beyond the buffer-size-proportional bound documented in
|
||||||
|
the README's *Input-size caps on untrusted channels* section.
|
||||||
|
|
||||||
|
## Out of scope
|
||||||
|
|
||||||
|
- **Compression-ratio regressions.** Not a security issue; file a
|
||||||
|
regular issue with a reproducer.
|
||||||
|
- **Bit-exactness deviations on malformed input.** Spec §6.2 explicitly
|
||||||
|
permits the decoder to produce any i32 value on adversarial
|
||||||
|
bitstreams. Callers that re-feed decoder output into `encode_frame`
|
||||||
|
without clamping are responsible for clamping; the resulting panic
|
||||||
|
is documented behaviour.
|
||||||
|
- **Silence-substitution amplification at the application layer.**
|
||||||
|
The README's *Silence-substitution amplification* section documents
|
||||||
|
this class and the mitigation (cap `frame_sample_count` to the
|
||||||
|
session-negotiated frame size). An application that ignores this
|
||||||
|
guidance and lets an attacker request 65 535 silence samples per
|
||||||
|
crafted frame is not vulnerable to LAC — it's vulnerable to its own
|
||||||
|
lack of input validation.
|
||||||
|
- **Timing / side-channel attacks.** LAC is a lossless codec, not a
|
||||||
|
cryptographic primitive; no constant-time guarantees are made. If
|
||||||
|
your deployment requires constant-time audio processing, LAC is not
|
||||||
|
the right component.
|
||||||
|
- **FLAC CLI comparison script** (`benches/compare-flac.sh`). Dev
|
||||||
|
tooling, not part of the published crate.
|
||||||
|
|
||||||
|
## Security-relevant design notes
|
||||||
|
|
||||||
|
- **Wire-format versioning** is the sync-word cluster (spec §8). A v2
|
||||||
|
decoder encountering a v1 frame or vice versa rejects cleanly; this
|
||||||
|
is a correctness property rather than a security one, but it is
|
||||||
|
the mechanism by which a future format revision can be deployed
|
||||||
|
without breaking old decoders on the same channel.
|
||||||
|
- **Fuzz coverage** runs in CI for every push, replaying the
|
||||||
|
repository's seeded corpus for both `decode_arbitrary` and
|
||||||
|
`roundtrip_arbitrary` targets. A regression that adds a new
|
||||||
|
panic-on-crafted-input path will fail CI before reaching a release.
|
||||||
Loading…
Add table
Add a link
Reference in a new issue