alamb commented on code in PR #49761:
URL: https://github.com/apache/arrow/pull/49761#discussion_r3088601278
##########
docs/source/format/Security.rst:
##########
@@ -51,6 +51,34 @@ You should read this document if you belong to either of
these two categories:
documented on https://arrow.apache.org.
+.. _bugs_vs_security:
+
+Bugs vs. Security Vulnerabilities
+=================================
+
+Arrow aims for robustness when processing untrusted data, but it is important
to
+distinguish functional bugs from security vulnerabilities.
+
+Unexpected behavior (e.g., crashes or infinite loops) triggered by malformed
+input is generally considered a **bug**, not a security vulnerability, unless
it
+is **exploitable**. An issue is exploitable if an attacker can:
+
+* Execute arbitrary code (RCE);
+* Exfiltrate sensitive information from process memory (Information
Disclosure);
+* Cause a sustained Denial of Service (DoS) affecting the broader system.
Review Comment:
yeah, I was hedging with "sustained" and "affecting the broader system" . I
guess in my mind I don't think we should treat panics or OOMs as security
issues (they are bugs certainly)
I want it to be clear to downstream users that they need to take other
precautions (like process sandboxing, and cgroups for example) to make their
systems resilent rather than assume we will treat every bug as a security issue
##########
docs/source/format/Security.rst:
##########
@@ -51,6 +51,34 @@ You should read this document if you belong to either of
these two categories:
documented on https://arrow.apache.org.
+.. _bugs_vs_security:
+
+Bugs vs. Security Vulnerabilities
+=================================
+
+Arrow aims for robustness when processing untrusted data, but it is important
to
+distinguish functional bugs from security vulnerabilities.
+
+Unexpected behavior (e.g., crashes or infinite loops) triggered by malformed
+input is generally considered a **bug**, not a security vulnerability, unless
it
+is **exploitable**. An issue is exploitable if an attacker can:
+
+* Execute arbitrary code (RCE);
+* Exfiltrate sensitive information from process memory (Information
Disclosure);
+* Cause a sustained Denial of Service (DoS) affecting the broader system.
Review Comment:
Maybe we should just remove "denial of service" from the list 🤔
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
