From c61ca3492b59e07d79f53d1b0cd6cb396cd0801d Mon Sep 17 00:00:00 2001 From: William Bergamin Date: Fri, 19 Jun 2026 14:10:07 -0400 Subject: [PATCH] docs: restore canonical security policy Move .github/SECURITY.md to the repository root so it replaces the top-level SECURITY.md added by the Salesforce OSPO Service Bot on 2026-06-02. GitHub resolves security policy with root taking precedence over .github/, so the bot file had silently shadowed the maintained policy. This restores the correct reporting channel. Co-Authored-By: Claude --- .github/SECURITY.md | 68 ----------------------------------------- SECURITY.md | 73 +++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 67 insertions(+), 74 deletions(-) delete mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md deleted file mode 100644 index 3f6ea3e63..000000000 --- a/.github/SECURITY.md +++ /dev/null @@ -1,68 +0,0 @@ -# Security Policy - -Slack takes the security of its software and services seriously, including all open-source repositories managed through the [slackapi](https://github.com/slackapi) GitHub organization. - -## Reporting a Vulnerability - -**Do NOT report security vulnerabilities through public GitHub issues, pull requests, or discussions.** - -If you believe you have found a security vulnerability in `slack_sdk`, please report it through the Slack bug bounty program on HackerOne: - -**** - -Even if `slack_sdk` is not explicitly listed as an in-scope asset on the HackerOne program page, reports for vulnerabilities in this package should still be submitted there. The Slack security team triages reports for all `slackapi` open-source repositories through this program. - -If HackerOne is inaccessible, you may alternatively report the issue to [security@salesforce.com](mailto:security@salesforce.com). - -Please do not discuss potential vulnerabilities in public without first coordinating with the security team. - -## What to Include - -To help us triage and respond quickly, please include: - -- Type of vulnerability (e.g., signature bypass, token leakage, denial of service) -- Affected version(s) of `slack_sdk` -- Step-by-step reproduction instructions -- Proof-of-concept code or payloads, if available -- Impact assessment: what an attacker could achieve -- Any specific configuration required to trigger the vulnerability -- Affected source file paths, if known - -## Threat Model - -The Python Slack SDK is a collection of client libraries for interacting with Slack's APIs. It provides utilities for request signature verification, OAuth token management and storage, and real-time WebSocket communication via Socket Mode. The security boundary covers the safe handling of credentials, the integrity of cryptographic verification, and the confidentiality of data in transit and at rest. - -### In Scope - -The following are considered SDK vulnerabilities: - -- Bypass of request signature verification (HMAC-SHA256 validation in `slack_sdk.signature`) -- Token or credential leakage through logs, error messages, HTTP headers, or unintended network requests -- OAuth state parameter validation bypass or CSRF vulnerabilities in the authorization flow (`slack_sdk.oauth`) -- Cross-tenant token exposure or installation data leakage in built-in installation stores -- Token storage vulnerabilities in any built-in installation store or state store backend -- Failure to enforce TLS for connections to Slack's APIs (Web API, WebSocket, or webhook endpoints) -- WebSocket connection hijacking or man-in-the-middle vulnerabilities in Socket Mode clients -- Denial of service caused by malformed API responses or WebSocket frames that crash or hang the client -- Information disclosure through SDK error responses or timing side channels -- Insecure default configurations that could lead to credential exposure - -### Out of Scope - -The following are NOT SDK vulnerabilities: - -- Vulnerabilities in the Python runtime, operating system, or hosting infrastructure -- Security issues in Slack's server-side platform infrastructure (report those directly under Slack's main HackerOne scope) -- Vulnerabilities in third-party PyPI packages chosen and installed by the developer outside of this SDK's direct dependencies (e.g., aiohttp, websockets, SQLAlchemy, boto3) -- Security issues in developer application logic built on top of the SDK (e.g., storing tokens insecurely in application code) -- Attacks that require possession of valid tokens or signing secrets (the SDK assumes credentials provided to it are confidential) -- Rate limiting or resource exhaustion on Slack's servers caused by legitimate API usage -- Issues that only affect end-of-life Python versions with no reproduction on supported versions -- Security of custom API base URLs configured by the developer for testing or proxying - -## Disclosure Policy - -This project follows coordinated disclosure: - -- Allow a reasonable timeframe for the team to investigate, develop, and release a fix before any public disclosure. -- Researchers who follow responsible disclosure practices are eligible for recognition and bounty consideration through the Slack HackerOne program. diff --git a/SECURITY.md b/SECURITY.md index b69c021ed..3f6ea3e63 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,7 +1,68 @@ -## Security +# Security Policy -Please report any security issue to [https://www.sfdc.co/SubmitVuln](https://www.sfdc.co/SubmitVuln) -as soon as it is discovered. This library limits its runtime dependencies in -order to reduce the total cost of ownership as much as can be, but all consumers -should remain vigilant and have their security stakeholders review all third-party -products (3PP) like this one and their dependencies. +Slack takes the security of its software and services seriously, including all open-source repositories managed through the [slackapi](https://github.com/slackapi) GitHub organization. + +## Reporting a Vulnerability + +**Do NOT report security vulnerabilities through public GitHub issues, pull requests, or discussions.** + +If you believe you have found a security vulnerability in `slack_sdk`, please report it through the Slack bug bounty program on HackerOne: + +**** + +Even if `slack_sdk` is not explicitly listed as an in-scope asset on the HackerOne program page, reports for vulnerabilities in this package should still be submitted there. The Slack security team triages reports for all `slackapi` open-source repositories through this program. + +If HackerOne is inaccessible, you may alternatively report the issue to [security@salesforce.com](mailto:security@salesforce.com). + +Please do not discuss potential vulnerabilities in public without first coordinating with the security team. + +## What to Include + +To help us triage and respond quickly, please include: + +- Type of vulnerability (e.g., signature bypass, token leakage, denial of service) +- Affected version(s) of `slack_sdk` +- Step-by-step reproduction instructions +- Proof-of-concept code or payloads, if available +- Impact assessment: what an attacker could achieve +- Any specific configuration required to trigger the vulnerability +- Affected source file paths, if known + +## Threat Model + +The Python Slack SDK is a collection of client libraries for interacting with Slack's APIs. It provides utilities for request signature verification, OAuth token management and storage, and real-time WebSocket communication via Socket Mode. The security boundary covers the safe handling of credentials, the integrity of cryptographic verification, and the confidentiality of data in transit and at rest. + +### In Scope + +The following are considered SDK vulnerabilities: + +- Bypass of request signature verification (HMAC-SHA256 validation in `slack_sdk.signature`) +- Token or credential leakage through logs, error messages, HTTP headers, or unintended network requests +- OAuth state parameter validation bypass or CSRF vulnerabilities in the authorization flow (`slack_sdk.oauth`) +- Cross-tenant token exposure or installation data leakage in built-in installation stores +- Token storage vulnerabilities in any built-in installation store or state store backend +- Failure to enforce TLS for connections to Slack's APIs (Web API, WebSocket, or webhook endpoints) +- WebSocket connection hijacking or man-in-the-middle vulnerabilities in Socket Mode clients +- Denial of service caused by malformed API responses or WebSocket frames that crash or hang the client +- Information disclosure through SDK error responses or timing side channels +- Insecure default configurations that could lead to credential exposure + +### Out of Scope + +The following are NOT SDK vulnerabilities: + +- Vulnerabilities in the Python runtime, operating system, or hosting infrastructure +- Security issues in Slack's server-side platform infrastructure (report those directly under Slack's main HackerOne scope) +- Vulnerabilities in third-party PyPI packages chosen and installed by the developer outside of this SDK's direct dependencies (e.g., aiohttp, websockets, SQLAlchemy, boto3) +- Security issues in developer application logic built on top of the SDK (e.g., storing tokens insecurely in application code) +- Attacks that require possession of valid tokens or signing secrets (the SDK assumes credentials provided to it are confidential) +- Rate limiting or resource exhaustion on Slack's servers caused by legitimate API usage +- Issues that only affect end-of-life Python versions with no reproduction on supported versions +- Security of custom API base URLs configured by the developer for testing or proxying + +## Disclosure Policy + +This project follows coordinated disclosure: + +- Allow a reasonable timeframe for the team to investigate, develop, and release a fix before any public disclosure. +- Researchers who follow responsible disclosure practices are eligible for recognition and bounty consideration through the Slack HackerOne program.