diff --git a/docs/source/cpp/security.rst b/docs/source/cpp/security.rst index ee35f7b296f..4a754cc36c0 100644 --- a/docs/source/cpp/security.rst +++ b/docs/source/cpp/security.rst @@ -63,6 +63,10 @@ is always assumed to be :ref:`valid `. If your program may encounter invalid data, it must explicitly check its validity by calling one of the following validation APIs. +Note that library crashes or hangs triggered by invalid data are generally +considered bugs rather than security vulnerabilities, unless the behavior +is exploitable (see :ref:`Bugs vs. Security Vulnerabilities `). + Structural validity ''''''''''''''''''' diff --git a/docs/source/format/Security.rst b/docs/source/format/Security.rst index 8e630ea9a55..253a9f4c8ca 100644 --- a/docs/source/format/Security.rst +++ b/docs/source/format/Security.rst @@ -51,6 +51,34 @@ You should read this document if you belong to either of these two categories: documented on https://arrow.apache.org. +.. _bugs_vs_security: + +Bugs vs. Security Vulnerabilities +================================= + +Arrow aims for robustness when processing untrusted data, but it is important to +distinguish functional bugs from security vulnerabilities. + +Unexpected behavior (e.g., crashes or infinite loops) triggered by malformed +input is generally considered a **bug**, not a security vulnerability, unless it +is **exploitable**. An issue is exploitable if an attacker can: + +* Execute arbitrary code (RCE); +* Exfiltrate sensitive information from process memory (Information Disclosure); +* Cause a sustained Denial of Service (DoS) affecting the broader system. + +Examples of bugs that are typically **not** security vulnerabilities: + +* Process-local crashes (SIGSEGV, null pointer dereference, or `std::abort`) + that cannot be leveraged for code execution or information disclosure; +* Resource exhaustion (infinite loops, high CPU/memory usage) that only + affects the local process. + +Report such issues on our `public issue tracker `_. +If you suspect an issue is exploitable, report it privately via the +`ASF security process `_. + + Columnar Format ===============