Jordan231111 · Alexander-CH-Santos · Apr 3, 2026
@@ -0,0 +1,132 @@
+# Security Policy
+
+MalwareMinimizer is a security tool for malware detection.
+This document explains how to report issues, what we consider in scope, and what you can
+expect from us.
+
+---
+
+## Supported Versions
+
+This project is pre-1.0. Only the latest commit on the main branch is actively
+maintained. We do not backport fixes to older tags at this stage.
+
+
+---
+
+## Reporting a Vulnerability
+
+**Please do not open a public GitHub issue for security vulnerabilities.**
+
+Report privately by emailing:
+
+**EMAIL HERE**
+
+Use the subject line: '[SECURITY] MalwareMinimizer - <Short Description>'
+
+### What to include
+
+A useful report contains:
+
+- A clear description of the vulnerability and what it could allow an attacker
+  to do
+- Steps to reproduce, or a minimal proof-of-concept (see safe testing rules
+  below)
+- The version or commit hash you tested against
+- Your assessment of severity and any relevant CVEs or CWEs if applicable
+- Whether you have already disclosed this elsewhere
+
+You do not need to have a complete fix. A clear description of the problem is
+enough to start.
+
+---
+
+## What We Consider To Be In Scope
+
+- Vulnerabilities within the scanner, quarantine manager, or database update
+  pipeline that could allow privilege escalation, arbitrary file writes, or
+  path traversal
+- Issues that are in the signature update flow which could allow a malicious update
+  to compromise a user
+- Logic errors in quarantine or restore operations that could allow malware to
+  escape isolation or overwrite arbitrary paths
+- Dependency vulnerabilities with a realistic attack vector (checked via
+  'cargo audit' and 'cargo deny' in CI)
+- Build or release pipeline issues that could compromise distributed binaries
+
+## What We Consider Out of Scope
+
+- Vulnerabilities in the underlying OS that MalwareMinimizer does not
+  introduce or worsen
+- Reports that require an attacker to already have write access to the
+  signature database
+- Missing detections which are a known limitation of hash-based scanning, not
+  a security vulnerability
+- Social engineering or phishing attacks unrelated to the software itself
+- Issues already publicly known and tracked in our GitHub Issues
+
+---
+
+## Response Expectations
+
+We are a small team. Here is what you can realistically expect:
+
+| Milestone | Target |
+|-----------|--------|
+| Initial acknowledgement | Within **x** business days |
+| Triage and severity assessment | Within **x** business days |
+| Fix or mitigation plan communicated | Within **x** days for high/critical issues |
+| Public disclosure | Coordinated after a fix  |
+
+If we determine an issue is not a vulnerability, we will explain why. Good-faith reports
+will never be penalized or discouraged.
+
+---
+
+## Safe Testing Rules
+
+**Never submit real malware samples** as part of a report or proof-of-concept,
+in compressed or obfuscated form, or in any other way.
+
+Use safe test fixtures instead:
+
+- The [EICAR test string](https://www.eicar.org/download-anti-malware-testfile/)
+  is the standard safe fixture for antivirus/antimalware tooling. It is
+  harmless and is what this project uses internally.
+- If your proof-of-concept requires something EICAR cannot cover, describe the
+  behavior in text rather than submitting actual malicious content.
+
+Reports that include real malware samples will be discarded without response.
+
+---
+
+## Disclosure Policy
+
+We follow a coordinated disclosure model:
+
+1. You report privately.
+2. We work toward a fix if applicable.
+3. A fix is released.
+4. We publish a security advisory on GitHub.
+
+Additional information will be given about the current state of any fixes on an issue-
+to-issue basis.
+
+---
+
+## Dependency Security
+
+We run 'cargo audit' and 'cargo deny' in CI on every push. If you discover a
+transitive dependency vulnerability, check whether it is already tracked in our
+CI output before reporting. Reports for known and tracked advisory IDs without
+a new attack vector specific to this project are unlikely to result in
+immediate action but are still welcome.
+
+---
+
+## A Note on Project Maturity
+
+This project is pre-1.0 and under active development. Some subsystems are
+stubs pending implementation. We try to be honest about this in our
+documentation. If you find a security issue in a part of the codebase that is
+explicitly marked as not yet covered, please do not report the issue.