From 5fb7f5b53398516f5ebbbc4a047f2be07d522049 Mon Sep 17 00:00:00 2001 From: Collin Date: Tue, 24 Jun 2025 23:08:37 -0500 Subject: [PATCH 1/7] Create SECURITY.md to fix issue #213 Current best draft of SECURITY.md to help enable CodeQL alerts on master branch. --- SECURITY.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..e5ed9e229 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ +# X11Libre Security Policy + +## Reporting Vulnerabilities + +We take security seriously in X11Libre. If you discover any vulnerabilities, please report them responsibly. + +- **Contact**: https://github.com/metux info@metux.net legendarydood@gmail.com +- **Preferred Method**: Email with detailed reproduction steps, logs, and system info +- **Public Disclosure**: Please wait until we’ve resolved the issue before making it public + +## Supported Versions + +| Version | Status | +| --------------- | ------------------------- | +| `master` branch | Supported and maintained | +| Older tags | No longer supported | + +We recommend always using the latest release for performance and security fixes. + +## Security Best Practices (User-Side) + +To help protect your systems when using x11libre: + +- Use minimal privileges when running X sessions +- Avoid setuid binaries unless required +- Keep your display manager and window manager updated +- Regularly audit any X11-forwarded connections, especially over SSH +- Use sandboxing or containerization when integrating third-party extensions + +## Developer Guidelines + +For contributors submitting PRs: + +- Don’t introduce new system calls without justification +- Avoid unsafe memory operations (especially in C/C++) +- Use compile-time and runtime hardening flags +- Submit fuzzing harnesses or test vectors for complex parsing logic + +--- + +We appreciate your help in keeping x11libre safe for everyone. Let’s build something resilient, secure, and libre. From 387726de060f244b6d104c1338d2833a9258efde Mon Sep 17 00:00:00 2001 From: Collin Date: Tue, 24 Jun 2025 23:16:41 -0500 Subject: [PATCH 2/7] Update SECURITY.md added more instances of capitialization to X11Libre --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e5ed9e229..2238b406e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,7 +19,7 @@ We recommend always using the latest release for performance and security fixes. ## Security Best Practices (User-Side) -To help protect your systems when using x11libre: +To help protect your systems when using X11Libre: - Use minimal privileges when running X sessions - Avoid setuid binaries unless required @@ -38,4 +38,4 @@ For contributors submitting PRs: --- -We appreciate your help in keeping x11libre safe for everyone. Let’s build something resilient, secure, and libre. +We appreciate your help in keeping X11Libre safe for everyone. Let’s build something resilient, secure, and libre. From b5c0604e268c0128cfa531683eb2590fed99aadf Mon Sep 17 00:00:00 2001 From: Collin Date: Wed, 25 Jun 2025 16:09:46 -0500 Subject: [PATCH 3/7] Apply suggestions from code review change the line to "The X11Libre project takes security seriously. If you discover any vulnerabilities, please report them responsibly." Co-authored-by: Alexis Lefebvre --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 2238b406e..6c28f575c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ ## Reporting Vulnerabilities -We take security seriously in X11Libre. If you discover any vulnerabilities, please report them responsibly. +We take security seriously at X11Libre. If you discover any vulnerabilities, please report them responsibly. - **Contact**: https://github.com/metux info@metux.net legendarydood@gmail.com - **Preferred Method**: Email with detailed reproduction steps, logs, and system info From ae425241c50a7ac63049e1cd0401bb207f89e599 Mon Sep 17 00:00:00 2001 From: Collin Date: Wed, 25 Jun 2025 16:10:25 -0500 Subject: [PATCH 4/7] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6c28f575c..91ef61a78 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ ## Reporting Vulnerabilities -We take security seriously at X11Libre. If you discover any vulnerabilities, please report them responsibly. +The X11Libre project takes security seriously. If you discover any vulnerabilities, please report them responsibly. - **Contact**: https://github.com/metux info@metux.net legendarydood@gmail.com - **Preferred Method**: Email with detailed reproduction steps, logs, and system info From ebf2b0c1fa17750a3604e7744c5cc550101cecfa Mon Sep 17 00:00:00 2001 From: Collin Date: Fri, 4 Jul 2025 00:53:37 -0500 Subject: [PATCH 5/7] Update SECURITY.md with detailed instructions for security vuln reports --- SECURITY.md | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 91ef61a78..2e418029f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,9 +4,37 @@ The X11Libre project takes security seriously. If you discover any vulnerabilities, please report them responsibly. -- **Contact**: https://github.com/metux info@metux.net legendarydood@gmail.com -- **Preferred Method**: Email with detailed reproduction steps, logs, and system info -- **Public Disclosure**: Please wait until we’ve resolved the issue before making it public +### How to Report a Security Vulnerabilitiy + +Send a detailed email to one or more of the following contacts: +- info@metux.net +- legendarydood@gmail.com + +Include the following information: + +1. **Vulnerability description** + - What did you observe, and why is it a concern? + +2. **Reproduction steps** + - Clear, step-by-step instructions + - Include specific configurations or inputs required + +3. **System and environment details** + - OS version + - X11Libre version or commit hash + - Display manager, drivers, or hardware specifics + +4. **Supporting data** + - Logs (in plain text) + - Core dumps (if available and safe to share) + +5. **Impact analysis (if known)** + - Potential for remote or local exploitation + - Possible consequences (e.g. data exposure, privilege escalation, denial-of-service) + +Please allow us ample time to validate and patch the issue before disclosing it publicly. + +Feel free to privately message staff over our offical Matrix or Telegram if the issue is of extreme merit and needs an immediate solution. ## Supported Versions From 6f31deb542ab7fb4d97efe7a8420e495108c9b9f Mon Sep 17 00:00:00 2001 From: Collin Date: Fri, 4 Jul 2025 00:56:09 -0500 Subject: [PATCH 6/7] Update SECURITY.md to fix typo --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 2e418029f..a79d35423 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ The X11Libre project takes security seriously. If you discover any vulnerabilities, please report them responsibly. -### How to Report a Security Vulnerabilitiy +### How to Report a Security Vulnerability Send a detailed email to one or more of the following contacts: - info@metux.net From b92b886abbf2a9e89243be3f5b677fab740b12ec Mon Sep 17 00:00:00 2001 From: Collin Date: Fri, 4 Jul 2025 01:00:56 -0500 Subject: [PATCH 7/7] Update SECURITY.md to fix another typo --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index a79d35423..62473c2f1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -34,7 +34,7 @@ Include the following information: Please allow us ample time to validate and patch the issue before disclosing it publicly. -Feel free to privately message staff over our offical Matrix or Telegram if the issue is of extreme merit and needs an immediate solution. +Feel free to privately message staff over our official Matrix or Telegram if the issue is of extreme merit and needs an immediate solution. ## Supported Versions