Skip to content

OpenSSF silver badge: crosslink assurance case #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mgovers wants to merge 6 commits into
base: main
Choose a base branch
from
+34 −2
Open

OpenSSF silver badge: crosslink assurance case #74

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
281a346
crosslink security policy with our assurance case in advanced termino…
mgovers Jan 7, 2026
5ebefcc
also add a separate section for PGM-IO
mgovers Jan 7, 2026
f280a54
assurance case for PGM-DS
mgovers Jan 8, 2026
656ac63
no oxford comma
mgovers Jan 8, 2026
913e6bd
typo
mgovers Jan 8, 2026
1def1c8
improve phrasing
mgovers Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 34 additions & 2 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,38 @@ In addition, Python libraries in this project are only released for [recent Pyth

## Reporting a Vulnerability

This project is a calculation library without network connection or authentications.
There could be however vulnerabilities in the form of (C++) bugs.
This project contains multiple repositories, each with different responsibilities, and therefore also different risks
regarding vulnerabilities.
You can report the vulnerabilities in the issues as a bug.

### power-grid-model

[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7298/badge)](https://bestpractices.coreinfrastructure.org/projects/7298)

Comment on lines +29 to +30
Copy link
Member

@figueroa1395 figueroa1395 Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these two links be here out of the blue? Maybe refer to them at the end of the section with a short intro to the badge?

[`power-grid-model`](https://github.com/PowerGridModel/power-grid-model) is a calculation library without network
connection or authentications.
It is, however, possible that there are vulnerabilities in the form of (C++) bugs.
Please refer to our assurance case regarding
[different types of bugs and vulnerabilities](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#bug)
and [undefined behavior](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#undefined-behavior),
as well as the respective trust boundaries.
You can report the vulnerabilities in the issues as a bug.

### power-grid-model-ds

[`power-grid-model-ds`](https://github.com/PowerGridModel/power-grid-model-ds) is a data science library that processes
datasets and configuration that may be user-provided.
Treat all external inputs as untrusted, validate formats/schemas where possible and avoid unsafe deserialization
(e.g. `pickle`) for untrusted files.
If the visualizer is installed and used, note that it runs a local web server and opens a TCP port.

### power-grid-model-io

[`power-grid-model-io`](https://github.com/PowerGridModel/power-grid-model-io) is a data conversion library and
constains user configuration in the form of custom mappings and filters via a YAML file.
To prevent code injection during loading, `yaml.safe_load` is used.
In addition, execution is restricted to specific white-listed functions and modules.
Please refer to the relevant
[security considerations](https://power-grid-model-io.readthedocs.io/en/stable/converters/tabular_converter.html#security-considerations)
for more information.
You can report the vulnerabilities in the issues as a bug.