SECURITY.md 3.5 KB

Security Policy

Supported Versions

Only the latest version is supported. Firefox might use a slightly older version, which is supported-ish.

Our Threat Model

What is considered a vulnerability?

We assume that a project which makes use of this plugin to apply a reasonable amount of scrutiny to all patches that are accepted. We understand that this is a fuzzy line and the level of expected judgement and sensitivity to security issues will vary between projects and reviewers.

JavaScript static analysis is always very limited. On top we are limiting ourselves to the APIs that are provided by eslint. Most notable, there's no constant folding, so we can't allow variables that have been defined statically in different code paths or different files.

Here's a a couple of examples which we do not consider a bug in the linter:

foo['inner'+'HTML'] = evil; // no way to resolve concatenation
eval(atob(...)) // use eslint no-eval rules please.

function(d) { return document }
d.write(evil); // no way to resolve "d" statically

Reporting a Vulnerability

Bug Bounty / Vulnerability Rewards

Momentarily, we do not offer a bug bounty for security issues with this linter rule. Note that projects who depend on this linter might.

Consumers of this linter plugin

If what you found is leading to a vulnerability in any of the project that make use of this library, please follow the rules for that respective project. I.e., for Firefox please follow the Mozilla Client Bug Bounty FAQ and use the linked bugzilla submission form (requires you to create an account).

Sneaking your obfuscated code past this linter

Hey, did you read "What is considered a vulnerability", above?

Sneaking your innocent looking code past the linter

If what you found constitues in a code pattern that eslint should complain about, but doesn't, please file a private bug Bugzilla using this form (requires creating an account).