add SECURITY.md

2021-09-22 22:55:19 +10:00 · 2021-09-22 22:55:19 +10:00 · 013d410bd8
commit 013d410bd8
parent 1cd911ab63
1 changed files with 27 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,27 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Anki does not currently have a bug bounty program, but if you have discovered a
+security issue, a private message on our support site would be greatly
+appreciated. No account is required to post a message:
+
+https://anki.tenderapp.com/discussion/new
+
+## FAQ
+
+### Javascript on Cards/Templates
+
+Anki allows users and shared deck authors to augment their card designs with
+Javascript. This is used frequently, so disabling Javascript by default would
+likely break a lot of the shared decks out there. That said, the default may be
+changed in the future.
+
+The computer version has a limited interface between Javascript and the parts of
+Anki outside of the webview, so arbitrary code execution outside of the webview
+should not be possible.
+
+AnkiWeb hosts its study and editing interface on a separate ankiuser.net domain,
+so that malicious Javascript on cards can not trigger endpoints hosted on the
+main site. If you've found that not to be the case, or found an instance of JS
+not being filtered on the main site, please let us know.