music-assistant-server

5.7 KB•MD

SECURITY.md

5.7 KB • 103 lines • markdown

1# Security Policy
2
3Music Assistant takes the security of our software and services seriously. We appreciate the security research community's efforts in helping us maintain a secure platform for our users.
4
5## Reporting a Vulnerability
6
7If you believe you have found a security vulnerability in Music Assistant, please report it to us through coordinated disclosure.
8
9**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
10
11Instead, please report them via GitHub Security Advisories:
12
131. Navigate to the [Music Assistant Server repository](https://github.com/music-assistant/server)
142. Click on the "Security" tab
153. Click "Report a vulnerability"
164. Fill in the advisory details form
17
18We kindly ask that you allow at least 90 days for us to address the vulnerability before making any public disclosure. This gives us adequate time to develop, test, and release a fix.
19
20### What to Include
21
22Please include as much of the following information as possible to help us better understand and resolve the issue:
23
24- Type of vulnerability (e.g., remote code execution, SQL injection, cross-site scripting, etc.)
25- Full paths of source file(s) related to the vulnerability
26- The location of the affected source code (tag/branch/commit or direct URL)
27- Any special configuration required to reproduce the issue
28- Step-by-step instructions to reproduce the issue
29- Proof-of-concept or exploit code (if possible)
30- Impact of the issue, including how an attacker might exploit it
31
32If you are familiar with the CVSS 3.1 scoring system, please include a vector string using the [official CVSS 3.1 calculator](https://www.first.org/cvss/calculator/3.1).
33
34### Response Timeline
35
36We will make our best effort to respond to your report within 7 days. Please note that Music Assistant, like many open source projects, is relying heavily on volunteers that arenât full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.
37
38## Supported Versions
39
40Security updates are only provided for the latest stable release. We strongly encourage all users to keep their Music Assistant installation up to date.
41
42- **Latest stable release**: â Supported
43- **Beta/development versions**: â ï¸ Accepted for reporting, but fixes will be released in the next stable version
44- **Previous stable releases**: â Not supported
45- **Forks or modified versions**: â Not supported
46
47You can find the latest version on our [GitHub releases page](https://github.com/music-assistant/server/releases).
48
49## Scope
50
51### In Scope
52
53Security vulnerabilities in the following areas are in scope:
54
55- Music Assistant Server core application
56- Official Music Assistant providers (music providers, player providers, metadata providers, plugins)
57- Music Assistant Frontend (web interface)
58- Authentication and authorization mechanisms
59- API endpoints and data validation
60- Configuration handling and storage
61
62### Out of Scope
63
64The following are **not** considered security vulnerabilities:
65
66- **Third-party dependencies**: Vulnerabilities in third-party libraries should be reported to their respective maintainers. We will update dependencies as patches become available.
67- **Theoretical vulnerabilities**: Reports must include a working proof of concept or detailed explanation of how the vulnerability can be exploited.
68- **Automated scanner results**: Raw output from automated security scanners without validation or proof of exploitability.
69- **Social engineering attacks**: Attacks that rely on tricking users into performing actions.
70- **Physical access attacks**: Vulnerabilities that require physical access to the device running Music Assistant.
71- **Host system compromise**: Vulnerabilities that require prior access to the underlying operating system or container.
72- **Malicious music files**: Music Assistant processes audio files provided by users and streaming services. Issues caused by intentionally malicious media files are generally out of scope unless they lead to remote code execution or significant security impact beyond local denial of service.
73- **User-installed malicious providers**: Security issues arising from users installing untrusted third-party providers.
74- **Privilege escalation for authenticated users**: Music Assistant treats all authenticated users as trusted administrators with full access to the system.
75- **Self-inflicted vulnerabilities**: Issues caused by users intentionally misconfiguring their system or disabling security features.
76
77## Public Disclosure & CVE Assignment
78
79We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:
80
81* The vulnerability is in Home Assistant itself, not a third-party library.
82* The vulnerability is not already known to us.
83* The vulnerability is not already known to the public.
84* CVEs will only be requested for vulnerabilities with a severity of medium or higher.
85
86## Recognition
87
88We appreciate the efforts of security researchers who help us keep Music Assistant secure. With your permission, we will publicly acknowledge your responsible disclosure in:
89
90- The security advisory (if published)
91- Release notes for the version containing the fix
92- Our project documentation
93
94If you prefer to remain anonymous, please let us know in your report.
95
96## Bug Bounty Program
97
98As an open-source project maintained by volunteers, Music Assistant does not offer monetary rewards for vulnerability reports. However, we deeply appreciate your contributions to the security of our project and will recognize your efforts publicly (with your permission).
99
100## Questions
101
102If you have questions about this security policy, please open a discussion in our [GitHub Discussions](https://github.com/music-assistant/server/discussions) or reach out on Discord.
103

1# Security Policy 2 3Music Assistant takes the security of our software and services seriously. We appreciate the security research community's efforts in helping us maintain a secure platform for our users. 4 5## Reporting a Vulnerability 6 7If you believe you have found a security vulnerability in Music Assistant, please report it to us through coordinated disclosure. 8 9**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** 10 11Instead, please report them via GitHub Security Advisories: 12 131. Navigate to the [Music Assistant Server repository](https://github.com/music-assistant/server) 142. Click on the "Security" tab 153. Click "Report a vulnerability" 164. Fill in the advisory details form 17 18We kindly ask that you allow at least 90 days for us to address the vulnerability before making any public disclosure. This gives us adequate time to develop, test, and release a fix. 19 20### What to Include 21 22Please include as much of the following information as possible to help us better understand and resolve the issue: 23 24- Type of vulnerability (e.g., remote code execution, SQL injection, cross-site scripting, etc.) 25- Full paths of source file(s) related to the vulnerability 26- The location of the affected source code (tag/branch/commit or direct URL) 27- Any special configuration required to reproduce the issue 28- Step-by-step instructions to reproduce the issue 29- Proof-of-concept or exploit code (if possible) 30- Impact of the issue, including how an attacker might exploit it 31 32If you are familiar with the CVSS 3.1 scoring system, please include a vector string using the [official CVSS 3.1 calculator](https://www.first.org/cvss/calculator/3.1). 33 34### Response Timeline 35 36We will make our best effort to respond to your report within 7 days. Please note that Music Assistant, like many open source projects, is relying heavily on volunteers that arenât full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities. 37 38## Supported Versions 39 40Security updates are only provided for the latest stable release. We strongly encourage all users to keep their Music Assistant installation up to date. 41 42- **Latest stable release**: â Supported 43- **Beta/development versions**: â ï¸ Accepted for reporting, but fixes will be released in the next stable version 44- **Previous stable releases**: â Not supported 45- **Forks or modified versions**: â Not supported 46 47You can find the latest version on our [GitHub releases page](https://github.com/music-assistant/server/releases). 48 49## Scope 50 51### In Scope 52 53Security vulnerabilities in the following areas are in scope: 54 55- Music Assistant Server core application 56- Official Music Assistant providers (music providers, player providers, metadata providers, plugins) 57- Music Assistant Frontend (web interface) 58- Authentication and authorization mechanisms 59- API endpoints and data validation 60- Configuration handling and storage 61 62### Out of Scope 63 64The following are **not** considered security vulnerabilities: 65 66- **Third-party dependencies**: Vulnerabilities in third-party libraries should be reported to their respective maintainers. We will update dependencies as patches become available. 67- **Theoretical vulnerabilities**: Reports must include a working proof of concept or detailed explanation of how the vulnerability can be exploited. 68- **Automated scanner results**: Raw output from automated security scanners without validation or proof of exploitability. 69- **Social engineering attacks**: Attacks that rely on tricking users into performing actions. 70- **Physical access attacks**: Vulnerabilities that require physical access to the device running Music Assistant. 71- **Host system compromise**: Vulnerabilities that require prior access to the underlying operating system or container. 72- **Malicious music files**: Music Assistant processes audio files provided by users and streaming services. Issues caused by intentionally malicious media files are generally out of scope unless they lead to remote code execution or significant security impact beyond local denial of service. 73- **User-installed malicious providers**: Security issues arising from users installing untrusted third-party providers. 74- **Privilege escalation for authenticated users**: Music Assistant treats all authenticated users as trusted administrators with full access to the system. 75- **Self-inflicted vulnerabilities**: Issues caused by users intentionally misconfiguring their system or disabling security features. 76 77## Public Disclosure & CVE Assignment 78 79We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria: 80 81* The vulnerability is in Home Assistant itself, not a third-party library. 82* The vulnerability is not already known to us. 83* The vulnerability is not already known to the public. 84* CVEs will only be requested for vulnerabilities with a severity of medium or higher. 85 86## Recognition 87 88We appreciate the efforts of security researchers who help us keep Music Assistant secure. With your permission, we will publicly acknowledge your responsible disclosure in: 89 90- The security advisory (if published) 91- Release notes for the version containing the fix 92- Our project documentation 93 94If you prefer to remain anonymous, please let us know in your report. 95 96## Bug Bounty Program 97 98As an open-source project maintained by volunteers, Music Assistant does not offer monetary rewards for vulnerability reports. However, we deeply appreciate your contributions to the security of our project and will recognize your efforts publicly (with your permission). 99 100## Questions 101 102If you have questions about this security policy, please open a discussion in our [GitHub Discussions](https://github.com/music-assistant/server/discussions) or reach out on Discord. 103