From 61cbb1ebb6a0925ccee92ce3897636b4a5eb0b35 Mon Sep 17 00:00:00 2001 From: "J. Nick Koston" Date: Fri, 15 May 2026 12:53:12 -0700 Subject: [PATCH] docs: add SECURITY.md with private vulnerability reporting policy Document the supported channel for security reports: GitHub's private vulnerability reporting feature (/security/advisories/new). The policy also names scope and out-of-scope cases, so reports about "a malicious LAN peer can send packets" don't get filed as embargoed advisories. Cross-reference from CLAUDE.md so an LLM acting on a user- reported vulnerability points the user at the private route instead of opening a public issue, PR, or commit naming the affected code path. --- CLAUDE.md | 11 +++++++++++ SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 SECURITY.md diff --git a/CLAUDE.md b/CLAUDE.md index 7e22c336..ac818648 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -157,6 +157,17 @@ mutated from multiple threads without locks; no but the test matrix exercises 3.14t, so any new Cython module needs to keep working there. +## Reporting security issues + +Suspected security vulnerabilities go through GitHub's [private +vulnerability reporting][gh-report], not public issues or pull +requests. The policy is spelled out in [SECURITY.md](SECURITY.md). +If a user describes what sounds like a vulnerability in chat, +point them at that route instead of opening a public issue, PR, +or commit that names the bug class and the affected code path. + +[gh-report]: https://github.com/python-zeroconf/python-zeroconf/security/advisories/new + ## Useful entry points | Path | What | diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..5dee00d6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,52 @@ +# Security Policy + +## Reporting a vulnerability + +Please report security vulnerabilities privately through GitHub's +[private vulnerability reporting][gh-report] for this repository. +That route sends the report directly to the maintainers and lets +us coordinate a fix, a CVE, and a release before public +disclosure. + +**Do not** open a regular GitHub issue, a pull request, or post +to a public channel (mailing list, chat room, Stack Overflow, +etc.) for a suspected vulnerability. If you are unsure whether +something is a vulnerability, use the private report โ€” we would +rather see a false alarm than a public one. + +We aim to acknowledge new reports within a few business days. + +[gh-report]: https://github.com/python-zeroconf/python-zeroconf/security/advisories/new + +## Supported versions + +Security fixes are released against the latest `0.x` line on +PyPI. Older releases are not maintained โ€” please upgrade to the +current release before reporting, and confirm the issue still +reproduces there. + +## Scope + +`python-zeroconf` is an mDNS / DNS-SD library. By design it +parses untrusted multicast traffic from the local network +(RFC 6762, RFC 6763). In-scope issues include: + +- Memory-safety, parsing, or denial-of-service issues triggered + by crafted mDNS / DNS-SD packets reaching `DNSIncoming`, the + record cache, the service registry, or listener callbacks. +- Logic bugs that cause the library to answer queries it should + not, leak information across interfaces, or hijack a service + name from another responder in a way the RFCs don't sanction. +- Issues in the build / packaging pipeline (`build_ext.py`, + wheel contents, signed-release flow) that could lead to a + compromised wheel on PyPI. + +Out of scope: + +- Risks inherent to running an mDNS responder on an untrusted + network โ€” mDNS is unauthenticated by design (RFC 6762 ยง21). + Reports of the form "a malicious LAN peer can send packets" + are expected behaviour unless they cross one of the lines + above. +- Misconfiguration of a downstream application that uses the + library.