~whynothugo/vdirsyncer-rs

a61065341e941412c3874f5d91b0433d80fdd7e6 — Hugo Osvaldo Barrera 2 months ago 9bcde50
Include a draft security model
1 files changed, 19 insertions(+), 0 deletions(-)

A SECURITY.md
A SECURITY.md => SECURITY.md +19 -0
@@ 0,0 1,19 @@
Note: This document is still incomplete.

# Security model

Access to creating new items in a storage should be restricted. An actor with
the ability to create new items can poison a storage in a way that other items
are overwritten (and therefore, lost).

Vdirsyncer will retain credentials in memory during its entire lifetime. This
can be improved via https://todo.sr.ht/~whynothugo/vdirsyncer-rs/44. In the
meantime, any actor with read access to vdirsyncer's memory space may extract
secret credentials from it.

# Manual tasks

The following need to be run manually and ought to be made part of some
automated process:

    cargo-audit audit