Split vulnerability policy into SECURITY.md

dguido · claude · dguido · commit d4c488376ad4 · 2026-02-20T15:18:36.000-08:00
Move human-facing reporting policy to SECURITY.md (GitHub surfaces this
on the Security tab). Keep implementation-specific guidance (blocklist
maintenance, dotted path matching) in CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -101,12 +101,11 @@ Build payloads using fickling's opcode API (`op.Proto`, `op.ShortBinUnicode`, `o
 
 Actions are SHA-pinned with version comments. uv is used for dependency caching.
 
-## Vulnerability reporting
+## Vulnerability fixes
 
-- Every report must include a test case for `test/test_bypasses.py` with a GHSA/CVE link in a comment above the method.
-- Use `echo`/`print` for PoCs — no shells, no sensitive file reads, no remote scripts.
-- Keep impact descriptions brief (e.g., "module X is not blocklisted and enables code execution").
+See `SECURITY.md` for reporting policy. When implementing fixes:
+
+- Every fix needs a regression test in `test/test_bypasses.py` with the GHSA/CVE linked in a comment above the method.
 - Update **both** blocklists: `UNSAFE_IMPORTS` in `fickle.py` and the relevant dict in `analysis.py`. Match specific names (e.g., `_io.FileIO` not all of `_io`) to avoid false positives.
 - Import matching checks all components of dotted paths (`foo.bar.os` matches `os`).
 - **Out of scope:** `UnusedVariables` bypasses — this is an intentionally weak supplementary heuristic.
-- No suggested code fixes without human review.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please report vulnerabilities through [GitHub Security Advisories](https://github.com/trailofbits/fickling/security/advisories/new). Do not open public issues for security reports.
+
+## What to include
+
+- A minimal reproducing test case using fickling's opcode API (`op.Proto`, `op.ShortBinUnicode`, `op.StackGlobal`, `op.Reduce`, etc.) or Python's `pickle` module. Do not submit raw byte strings.
+- Use `echo` or `print` for PoCs — no shells, no sensitive file reads, no remote scripts.
+- A brief impact description (e.g., "module X is not blocklisted and enables code execution"). Elaborate exploitation scenarios are not necessary.
+
+## What is out of scope
+
+- **`UnusedVariables` bypasses.** This is an intentionally weak, supplementary heuristic. Bypassing it alone is not a meaningful finding.
+
+## Fixes
+
+Do not include suggested code fixes in reports unless they have been reviewed and approved by a maintainer first. If a fix is accepted, it will include a regression test in `test/test_bypasses.py` linked to the advisory.
