[latex3-commits] [latex3/l3sys-query] main: Add a security policy (f40c62a)
github at latex-project.org
github at latex-project.org
Tue Mar 5 20:02:04 CET 2024
Repository : https://github.com/latex3/l3sys-query
On branch : main
Link : https://github.com/latex3/l3sys-query/commit/f40c62a7dafb6b8a2d1fead37168b5b50f9e0fdb
>---------------------------------------------------------------
commit f40c62a7dafb6b8a2d1fead37168b5b50f9e0fdb
Author: Joseph Wright <joseph at texdev.net>
Date: Tue Mar 5 19:02:04 2024 +0000
Add a security policy
>---------------------------------------------------------------
f40c62a7dafb6b8a2d1fead37168b5b50f9e0fdb
SECURITY.md | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..6eacf73
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Link to TeX Live Security Model
+
+As described in the script documentation, the primary aim of `l3sys-query` is
+to support system queries in the context of restricted shell escape from a TeX
+run. Specifically, the script is intended to respect _restricted_ shell escape.
+
+## Reporting a Vulnerability
+
+Security vulnerabilities can be reported privately _via_ GitHub at
+https://github.com/latex3/l3sys-query/security. Using this mechanism means that
+the potential issue does not show in the public issues list, and will give the
+team chance to review the report before it is made public.
+
+Alternative, the LaTeX Team can be contacted by email:
+latex-team at latex-project.org.
More information about the latex3-commits
mailing list.