Skip to content

Commit

Permalink
Added security policy.
Browse files Browse the repository at this point in the history
  • Loading branch information
xeioex committed May 29, 2024
1 parent 532d583 commit 52fc67a
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Security Policy

## Latest Versions

We advise users to run or update to the most recent release of njs. Older versions may not have all enhancements and/or bug fixes applied to them.

## Special Considerations

njs does not evaluate dynamic code, especially code received from the network, in any way. The only way to evaluate such code using njs is to configure the `js_import` directive in nginx. JavaScript code is loaded once during nginx start.

In the nginx/njs threat model, JavaScript code is considered a trusted source in the same way as `nginx.conf` and site certificates. This means in practice:

- Memory disclosure and other security issues triggered by JavaScript code modification are not considered security issues, but as ordinary bugs.
- Measures should be taken to protect JavaScript code used by njs.
- If no `js_import` directives are present in `nginx.conf`, nginx is safe from JavaScript-related vulnerabilities.

## Reporting a Vulnerability

The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security vulnerabilities.

- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/services/support).
- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at F5SIRT@f5.com

For more information visit [https://www.f5.com/services/support/report-a-vulnerability](https://www.f5.com/services/support/report-a-vulnerability)

0 comments on commit 52fc67a

Please sign in to comment.