From fb389e235d50eaeaa0d65e82be65b9d55b5b66be Mon Sep 17 00:00:00 2001 From: Audrey Dutcher Date: Sun, 9 Jan 2022 19:49:40 -0700 Subject: [PATCH] Draft security and reporting advisory (#3072) * Draft security and reporting advisory * Second draft --- SECURITY.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..cc09cf1cc58 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +Security +======== + +angr is meant to be able to function as fully secure environment for analyzing code of any kind in its default configuration. +As a result, we take sandbox escapes - opportunities for guest code to manipulate the host environment without the analysis author explicitly allowing it - very seriously. +If you read all the documentation, you should be able to deploy angr to analyze untrusted code without worrying about it. + +If you find a sandbox escape bug of any sort by this definition, please let us know through a private channel. +You can contact the core developers through their emails at audrey@rhelmot.io and fishw@asu.edu.