From 2beae7aad6e9c89a794d3c87be21fcd5fe64e842 Mon Sep 17 00:00:00 2001 From: Tim van der Meij Date: Fri, 21 Jun 2024 16:43:52 +0200 Subject: [PATCH] Include a security policy for PDF.js This makes sure that security researchers can find the required information for reporting security vulnerabilities in a standardized manner across GitHub repositories. Please refer to https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository for more information. --- .github/SECURITY.md | 13 +++++++++++++ .github/security.png | Bin 0 -> 10890 bytes 2 files changed, 13 insertions(+) create mode 100644 .github/SECURITY.md create mode 100644 .github/security.png diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000000000..7218cd5fb3822 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,13 @@ +# Security policy + +Mozilla takes the security of our software seriously. If you believe you have found a security vulnerability in PDF.js, please report it to us as described below. + +## Reporting security vulnerabilities + +**Please don't report security vulnerabilities through public GitHub issues.** + +Instead, please report security vulnerabilities in [Bugzilla](https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox&component=PDF%20Viewer&groups=firefox-core-security) and make sure that the checkbox in the "Security" section is checked so the required access controls are automatically configured: + +![Security checkbox](security.png) + +The Mozilla security team will process the bug as described in [Mozilla's security bugs policy](https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs). diff --git a/.github/security.png b/.github/security.png new file mode 100644 index 0000000000000000000000000000000000000000..040128166b6bc25f5957ea819c55a6010f25ce48 GIT binary patch literal 10890 zcmb`NQ*b8UmiD8L({a*CI<}2Bw#|-h+qP|WY}-l4w(Y#Jjp_e6^;ON(oQv;bF81E5 z*1B06RlDlmP?-v!1_T-^}_aKfU=v;#ilzy+TmC4&C>+kcw2`bL8v=17#P@=nv1)UVp&mfat8U9 zxvOf9vAM-jyqL)_J1z5MXH%!V@Zo(gIK48Oa`mA}`pX9>Mddhbdh+MdL+aGc`K?!u z`w=tqG&lA0^Xn)D8f>s&o;){%@cg%bMHFa=RHStZ|H|LY$fMx=Q~sMo_`glwT%+)~ zIc&V$TNE;BD+yZhr|Q$AoSPL>qy2}1(5xtIj;z@DrQ7?z1rf(1K z;*Sf|Yd_j5#hG({qMm}6klW*lJqQeequiTty@?Foj*v@>aniB7=S;O*G>kNevI0sju z`zEu}#k%boSyu}|35#K~AQo450b%)T^IYar+yI+~?363=0!M0eGP1{Ve? zTgdHZak%WmHgwD2UHIH$sZaZD`T;OE$~z5JO-snB}?Q{5fmqg9+ngzYkUFI0{=#iB|43X zN4Q{u_8IFrlGCAc!Q00n^{Wu2SGI1g)^?fvMd7zXc`r2_(kD(mThl%h!%K+{@zP-mVGFU7mNo2AX6yjtS zA1&{-Z$vLG-C{7alyNyix`z_BJg4ty`93-Ww_T&+bcFXrLN|9EJ_ElQ2 z$7n$;{8x(TO{l+W%pUC@qW%#G4LO? zaG*IJQRKcRQ-89x=)mf1$cNxPA#<@G%@)3CZ8QYXe__hB2c@@X4NOQ)GhVe>v1vIC z_M}kf#FSaR)BP-ok=r>ul11ppr^)CEh6@J4*i*h}uPvTJ)t9zD3k?+lC1yR-q>7^U;ZI6`3Lc*DOYJlOW%<8>0G)~U@Q!VB2qgYZU+L&AX5Ah90GDA7D@iIjMs!@b%bKhaP2=vo%?s+=G&; z%6oxaYdw?RceIu<=%%i8Tn7pdTm+NT46mGDfAP4f$%09fcV9=*I$;CyY&_bEZC8=Y zRC`T7)1#a`@6vR(z#G=xsF=W81$HE6C^UEjdYr#+mxbJoYM({S8NPvc%8AII0K>P6 zFl5=kjDUNSBuAsA;Gs7nEoeTSKPRMOSL=O`Iw~a{N-Rg><*wE~WeZa@nE_b|a zRxjurZ=?>EP921oG463@b6uJ$;~nVgk2`9fN$J30{%+5NX~73k?82*T|1`#O3a@*U zX12Hi|I)^0B(&$~t_kKKB8Pjehbu;*;`yW19~R$mGbUUrXXoTBH*UfGHv3{v+Ww`g z;zD5j4lN=yuvF+QZaf)$wvY{`I1ig;OQy_`EhFuo`{(^y!o`8r)YVH&EO`*4*NIs- zhfbwA>x&O^o1MiKpT#q-{4Ul68 z3}PCFFgZsG4}*H!f6pB|sYQ;;XiNx`Qs1!u#I(F!IALUw`wVFbMKFH$9A9xif)t$% ztS;!k=IaOw*C&R~yk`c)Mw{B<;3jkHl_%{i_!AanI2ylbMx|d9ZfDj1X{#Sr1}QCj z6URF%i7`D$TOC-y>#d!_3-hz)_Z@N>HJvPs4~ov1Aah0(<<%@nkX?k`E@p+!ePc5m zo+Rzo!OuaU2#@ySiE+N$He3kHgZKSnkKpY7Gk-XYmsB$@Ln-dJ#)VWeV(j%fs;ruI zbJ$eNrlrFgDpxW=m@g{V4waH*O)0xr4fjC2fc$kZ&o0Jnaf-k4@N@JI;afF6V1Ts7 z1Y#xioZ15t*$h?e0C6rdHK<5r~Qp_o_A*AodhEw(LmPlvS4GG7pE;k`3e!if+(Wp~h@#7&}crmh+1SM=utm)~9u zwN-OgpVQmKh}!3!5A;rlC-gVM7|7^20>5fO8#`HNBt)`{W9?2m0A8HNprKlC43Fu8 z|2(ipEKLfZVyG%-Ff)t2&3sY;=O&C8CAf<{yfi+@zaQmC(QLlbae^}-Vny0F;MBrw zW+9TAakwofJvvZF&BIR8NK1mKOCA!C$~-)!zreLAYelj5yw#;e3w8iM$6RGMqv7x5 zFC=ygZFUrljdTWy`pYgzNJ2%<62xJS83`YTU}YU$6A(DCk2xCu?Hp_k$fjboYMhwl0uJ(;PU(XdW6I;aCL7EpBKU1R51A8J+NC!Z!0WFGfy6FP3^RGoJ} zOg%|lJzauZ6H=Xt_9NHV`f&4l zbIk@cdTK9x>p-MBf1c6c5eLGuaLiE#>)%JvM5Ax)$cZ}1(E{bF+UWLlY~2T*;_TrO z?Lnrf`1i&thTLQL>vRe9;0E4njZ3I44~TS_AR?4Owmebg#+IGqIpfMGeDghY z`lm++Trm%CGVW+aZUkuGc%*cmT=|V%?lli1B5OA}P%BmtiY-4?@?}GXs{O4Dsb(3! z1qC-k=Hd*zr$qPh;Y7=ZMuV)bDAWic=3MOreghq4xlt&XO$eiVO zPI%wpk0?lSsMFwy5Q{nL{?R30p85k�beh9ABO;;hpZ%Qcpq>35*qdv0M zxmGBS&hg-ywLSFN!25(-CeQ-u>1~wjYDA^{eOvWqn^OBZS&ny_sPT-T7~Y9!e?&vo zt0fZdFxOOdX=yKlDmGOwGO>U)T>=Y(w~I;CMyp5t0ky^HgMKMlSVsqMWz~@04>WGB z+OgnXPN1k?AyY`hWECt99?NK*mEZEHSUUJQy%PCnw*A8M?H?%S6FTrPv&P^og>dha4T*MuCJ-`$ZoU+4bpX#lc(cPu`hX zp5cL(J$pME=(4n-%+^NuC}Q+v#agj+rp5-fx5B2x@}D574fP|<HzozaH*V)+2+ey=gb-@=5%EGiz`#TGuPbaI7wPrv)iTvW&r9=TQ?Q%4-87YO#WHvq`qKNyr-gR- z39hr=$RE8+zhrnLll8pivOE?U6lYnEgTh1=c-N@0Dx{u>gL4}AAtkGH-pp&Q#AMfv z?H5}QhHg?n8Al!LFKlozgk6{?sAEg&PcmQ9GD=7Kw=ME~)mS$2NGtw!r=SxrPbP!C zR!V=P5u#y%P+5w$21DH>5shYKVcIR9huT@QiNo)%RJ>wFN#Y|)(?|w5gL!aAQ#vSs zke@%ZeoEn~1HR1{hYJB!vcfF+xdM2skU=G=L=*T^jOz^%6Xefea^M_9zlF6!La@59 zZRdq?daX4VRtG|lh$}MQ;%-ukFXsciijcE~yl29}EXe7-EY=B2eje?R(&wDcfpCEe zmmsw}&mebw{dn<9vL?_y4#VTWkUe7~jop@%5=l@gRR$w4# zyOA7CFEV|5`S#m&NCB;`xmrit+#-0UIvfrg)JP)#7u%gSwY6o+o=W{x`vtSp^$bCn zi`y&PACXSY_40rKZdmJ|_RZ*Z_04pEm~v$`5Y+`Z_`;C($_w{|AI=M221;HzfuZ#< zr?(tUEPg}T-?cLhqquv4^_d(Pd*o6m7S5x(st!Ndils^sHIQo^hR90=9*$8I-RCY3 z3Axt?=6>L`F1zTsBek*0^P*d69C zIiM6tguD2(b1lU-Gdq4Y16f*ZdnwUK7czPKpC>enBfr2QDxEbd>k*Qoyt#)@*&#PI zs7-K2>S`iYgZ`{MRN647%<4|`$GHS5arv4GeaJRi-&12wZLAfc3}$hm1wI^Lu zHMk?7V17L(Kf?s3J?g`n15E+go^AIr{^&~{^zGlhg5x=n+X$jjaZ+n{D}zX`OhyB+ z;k^%0Q{brys4q|ydOl)NleFnmh}ZOV-xMIbxudWxU<{YkA8B+%vw$IUq-;~VAwJL0 zN0l=~#$@(xlZq(xqz%CFqLa{Q{V6pz=plHN<|*TsyaaaIC>YIOncOLi^Vsnj?t%L- zH-+DllHH?Qh03IV+);ubclD1Ma{YQ0!u_+AB~XE5UP!J@01OH4i%`T!b@cwhcBf*& zB~Egs`zN1I3XkVNxW=gZ4M``nGb}ZF)re%c;c!?Og@P%uSw&FtXgb#g>3VH=;wnL4 ztw_B2%OUNuN^{@MjvcFbT`e)mgiv<5Tpd$HtrfTyYkt>dhh~fN(GSL^O=YdD2pfuM zI`>u-66E_jm~9OLlAcvMdG6&v!kp@IJmhaI{W0s5IR^b}wS8y%Ohw0g6R(aVwxW*j z`e7=eZ=pqbZOMoP?q)1pXOugZ5dQUq8nPU&)yIL0nx5RDUva%0jFL5AGCr2cYzxIh zcXc!X$Y)<)OXd8HAl`C2p{_xvUy0g|)&T(Ln$r2|bNo#h*>q{baIv?qlc$G#2`vHT z4bD-Ge1ooM?s-%ziZjZ7!Bd*{Jq>X=$8i6>W)>07a7q!uJ)Irks)w*WEVPKj_PZ?H zwqnVx*xIB3sHuRSW{$Znygjdk)i=C+Ro!9f1R?#2f7 zFwNk;HO_IR(I*;ebB`doo5^T-oy8P*Y$?p}w2#xt@&e!%{{3+FUfa%oc63Rm=jD5< z`y3yBRYR^mH{pApTr^94i8|{q2DW~;A$8IAde6sipu)rI%*L_gRKB(XF$iAarKq%GnE^cg;)CGAZn6l`J~uG&!ui^f zmZ)*NE}B zSZBJL>Q!9cOGWPgGPZcL5nw?cU(O!nj z4N*OpdF&fTa3GGgJ6|B&8$KW8B!8gqUMqD&qL7dQIADnRyhacgkE2KQXzs%JXgd9I zD*KaFzLcERKZEnigBwr>RwO|F&o?V$6lFavkYI^F4$g1nqNK%9t@D#VgU@aEASqN*C^VUXJ( z_9rnS7J%m=2Dpxnh<8>4rSyESIg%4iO{128{SW=+S3$*@#q09sO%E}EwaqcPqUSPy zG7`$*?AS?5mL_A8JziooRCuo1Hi?gPY*Rl8@huM8ISGgi1i?DQBUd5RjgO3ERBhJ= z!WI0vz#J`vQyADfku4eeY_xk6)sE}kebzF9sLa-?8t`cnmD`i+TrB5KZ7u0>kH@D;4~S+%BRKtjUO?WfHy-eyXSf)D@p}1Wrcm19UV(-5 zjXpmKe~9RV9xcJ^E)=!v?HPv7x%uQeVk{dO>)})CU)#({=mJA7Ir7GOROVsM4hWN~ z@PYTKuiq9Z=d9bk>*UIl8twh^jc6y-4t>fmOW(!^(-aJ$Kd7*`o}8X1Wcxi{iwWbx z@)ax+8w2mvw7I=i6IN~ggUOIk3WMI@GfBryo@+yvbo={uV zPgAMXg00~IEgzbyxZ=ZA&aSWbX97^uRxvi3L&H);BQ)J(&GaS>uX>z0a*u}cUnMY& zJ)=!Ou^1d&E@+P4u?HuyX@Q^TsLv~-r5B4NR_ap9<>-C%az^s=$}vA{#{Bly4L@4LEZ3BgIc7;#0BHv*y z)tNN`)n>4s!a(vq`nvr+?p|&&^F*Q}^=yt_9L(#bW9wA~rrokO(&z4zDL2CTdaI@1@-LxI7 zH%)Rut|9z&)M-%FBzjZh^6P6qv);GZX0P8TbF2!y(6Q2^i@w5!cI0s3H9bmO*9OP0 z0OwckOpF>%HW?FDfzg8d7@bMz1=FhhO)r&P6)B|bEuL|LF-1Cv{1W{xH^bBr3Oy$xbgNTZc7S&)s>ujX8x2>HH+UwuliH6eQ zCQ=c=xi@jAp%!cA`p1t6f!;>#bUB5ww8lQJF{Xd13=+js6(Y)IzgzDok3!{>Q8J+d z!!+$E@;15d(sDB@GJTA7*ZQ&9MARJutCpN5!3AbsZr*DJxDSg&NR1sC4G^{~BMvek z2=ufoh=ush1^r6!_D6Hm8|=taBSHFNAhRJEIaok25e{?#0~v>WNI6>220X7`uVibs z!*%az$ODj_ES6wPfDD_!^lkG_5j!i%?G~LPV{ps` z%3ZIH9j@=mpCIukYXLsQuk+O@tcp`2k6uscJp;))zmx^-ppAOPYId*3l`%w$1&ocu z=$ta|LAOeXDDLltuN2`*GJWfvZcOM{-J`L<*LN-pO%|+lr))p6Ry8L-GHPK{F>0rCq~b}iHy1HgHw zWAsku5s;V@0r7FMqOCq>N>o))v%xlrWD4vim_V&YHdUiP!4B68Aj*#i3J!dU3iiFn>dJc1&ktEBTV4xI1qOOPpIC z+B6iX?%09SZAN98Ai0!Y!^dCSUonmZ>H5^KpfWP~>`e3FfhkeEk3~Dc$S5Z|??NP% z%Q+MTTo+I5ZT`rlx%|=J8ta-8vx!z~i#GN=BW8YXB4l!JfkCsa&7_+FNwFps!k`${S-5o15o(JZ+( z#XRzHf8ougqu%ZpXv_M}^FwverovM9ZNHL~LB|11OgC@#1yFDOH*;WU(Ay41Rj@u^Zt!)F#XZ;ODf#0ma-5M+`Q?KTt8V`g~VFG&Haoe!Cpk#n;U4^m?U;6ccV%!T%?at>koI zxs}nBeQOoThro6&<8;r6F)^kvOLqvmOkOyf{^l8;YDR5Cg} zTVPcF{|7_g&Z!t*!soMxf-{vdJ*78q#0R8_-cUb#9T}zMTptC~9pbTr%1?~u@*0h; zF{2H5k7w5S4rDMFMb8O-tU}(KTBUj|Nn=Z_l#W^{KIt7aBu5RGlf;;`bOmO##~#%A zoVtm|q{~QOfWn`h+dp{^W^l85z)vRj>|W>#VSR2fx#YAdeB|zyk@(=M7FL6Rz%u;f z1yEeWJL>6*yS}fm%4PKrhm%2xw(>Jc)FCRu&D7)>|k{7S)4u){iUsI4U;*#n+P%vyXtOy2Q@Pox z-{iQfA*C1;A$|KCJ}5LL;6>rDZJ};mnB+U{7k7vYa=)KQBi72j~AfS>otm)>%Z;IgSs!)X{t7z9%Z?}E*?|7}kgz|AYF@&TMALRA%@gw5wdL^!R7I!yQ$Mw$i5b$x;UURY*@m=S5rF$1b{cmHK5}g*03%;07 zKYHE-rpSpm!!mW@-nq{SxWe~M=O@XZ0>p1WWd;hRHfU{*-pD~if4e|ztn?Q@!;_HI z%USEIDH3Zyaiuqsrf01{qiAI!pHl_=E-@FUl@%RIAYLePmVz>9z9L_QPS}O;{EoSc z{|l;a?IXb*akhYBuz!Ne1zfcbM;epwH;JO_#QuK3CHLl=_p8T&qt!mFsts>+o)g^a zM3;!u|VH?_KF0%Ou+?;^Dj5j{QP`FR~?E9+p8@!{FsR68x< zZ)XSL32|n=_!7Oqf&x~o)Uichz~UQ@4QlB-PBM9s_OYmXt1{=$CP1O_R!pwZ2*G+a z=$hoMgp%thl(e#a3OIL(bu>U_DDTfASw0V2bSl;U%ILS|qbf6$WE-@Tz%MzgY4)Wzd0OW|XwM`aEe zH+(1&efPjMFyT};4jx}MGD0huKV#rQIn4S+Bny8~rf14_Wh>agS+atk8CdC17}9|8 z<*#HW|H>9?W+lPvwX>x&JP%j%BoItP7w<4NNBI#PRoh9XfRudTzv1BSP+6HFJDQNlrp);b z6$ps)&J6kO=5r}DdrmS?Z#y^(OAwX?^SQ8k_PeW3_V?(BX~%1MHUVwCk`&09*7-b3 z$EbKH4sSWkj{gRyyVna+{x<<1d#vD&QEc}2$|m*zY2vC{cT3lD*Hq{+XQ);+ertDp zweymwR_wOUqzIQH<_vxPjrwgtR_A%4xnnL_y8}p?$>@JodpD8 zhCUXrY8UsHO0rU;Mf4>9Cw}addJN9g#<a#thzbu$Q=K;nlJRI@H} z2C9_yej>w^kRL8V)6JT;kmi;~{0b`VJ3a!HYfbL+pmvV`0h>r}YDav>SyD}^zmWRY z3TtFTGTxYZ4bZn?L(^Ir4G>Wv#ZC4KkG|^><)euLNUTMc1{3{M>ILM@8_Z^LhVX@f4bk&?2_1))k zm;)^q!GLSuQ$FQGYuQa_PDQbS5}4xc3Xeg$WR71gG?p9@jPviU?#zi5;cDV^9kod` z3;o;GVa%3Cbrw5%TRGdPmar1xAHi)Es1t}ktC;>1IleV=$X8=p_J*#J(HR&YvSLcu zU%fRXfvHTDGyDF{uqS2uvdB7O!b(c7; zK`=5YePEYWN}@AKQy--6#wOQR;zr%YR{9`%Hu6_i=7?>BNxZyGQ<8nwh*BPW7Ei>U zD+aPY5MvS7*n8|~?1&M`y0+$n0$dkQ6rm}I@r=e3gP!=ZI=WYJV?gqaTw-fHfnNK^ z>uHHs5jy1*VE8gP@@2mrV&s1^XrZy_