diff --git a/SECURITY.md b/SECURITY.md index 0e7e358..6447eef 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -20,6 +20,38 @@ In addition, Python libraries in this project are only released for [recent Pyth ## Reporting a Vulnerability -This project is a calculation library without network connection or authentications. -There could be however vulnerabilities in the form of (C++) bugs. +This project contains multiple repositories, each with different responsibilities, and therefore also different risks +regarding vulnerabilities. +You can report the vulnerabilities in the issues as a bug. + +### power-grid-model + +[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7298/badge)](https://bestpractices.coreinfrastructure.org/projects/7298) + +[`power-grid-model`](https://github.com/PowerGridModel/power-grid-model) is a calculation library without network +connection or authentications. +It is, however, possible that there are vulnerabilities in the form of (C++) bugs. +Please refer to our assurance case regarding +[different types of bugs and vulnerabilities](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#bug) +and [undefined behavior](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#undefined-behavior), +as well as the respective trust boundaries. +You can report the vulnerabilities in the issues as a bug. + +### power-grid-model-ds + +[`power-grid-model-ds`](https://github.com/PowerGridModel/power-grid-model-ds) is a data science library that processes +datasets and configuration that may be user-provided. +Treat all external inputs as untrusted, validate formats/schemas where possible and avoid unsafe deserialization +(e.g. `pickle`) for untrusted files. +If the visualizer is installed and used, note that it runs a local web server and opens a TCP port. + +### power-grid-model-io + +[`power-grid-model-io`](https://github.com/PowerGridModel/power-grid-model-io) is a data conversion library and +constains user configuration in the form of custom mappings and filters via a YAML file. +To prevent code injection during loading, `yaml.safe_load` is used. +In addition, execution is restricted to specific white-listed functions and modules. +Please refer to the relevant +[security considerations](https://power-grid-model-io.readthedocs.io/en/stable/converters/tabular_converter.html#security-considerations) +for more information. You can report the vulnerabilities in the issues as a bug.