Reporting security issues

[elharo]

Include instructions somewhere (well-known location) about reporting security issues along with warnings about spamming because of naive security scanners.

If it's a real issue you've personally discovered and can explain, feel free to drop me an email.

If it's some security tool logging a warning, that is 95% likely not to be a security issue but rather a bug in the tool. You can file that here after you have investigated if you are willing to vouch that it is a true security issue, but be aware that these tools are almost never correct when analyzing Jaxen.

Things that are NOT security bugs in Jaxen:

1. Anything in your dependency tree whose source code is not in this repo. You control your classpath. Jaxen doesn't. If you don't like what's in the classpath, change it.
2. Properly implementing XML 1.0 according to the specification.
3. Properly implementing XPath 1.0 according to the specification.
4. Being able to load a URL from Java code.

Probably not security bugs in Jaxen:

• Problems that only appear when your code (not Jaxen's) accepts untrusted, unvalidated user input

Possible security bugs in Jaxen (if you can find one, none are currently known to exist):

• XPath expressions that cause infinite loops in the parser or exponential performance problems.

[elharo]

https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository