From 8a7071179dea3cb88db93d4c5d043c02fa9b33aa Mon Sep 17 00:00:00 2001
From: Laurent Cozic <laurent22@users.noreply.github.com>
Date: Thu, 13 Feb 2025 09:55:10 +0000
Subject: [PATCH] Doc: Add "Area outside of Joplin's Threat Model" to
 Security.md

---
 SECURITY.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 241b0ae32f..0d50a8eb73 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -10,6 +10,36 @@ Please [contact support](https://raw.githubusercontent.com/laurent22/joplin/dev/
 
 For general opinions on what makes an app more or less secure, please use the forum.
 
+## Areas outside Joplin's Threat Model
+
+Note: we're mostly linking to Chrome's documentation since our reasoning for these exclusions is the same.
+
+### Denial of Service (DoS)
+
+[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#are-denial-of-service-issues-considered-security-bugs)
+
+### Physically-local attacks
+
+[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)
+
+### Compromised/infected machines
+
+[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-compromised_infected-machines-in-chromes-threat-model)
+
+### Is opening a file on the local machine a security vulnerability?
+
+No - users are allowed to link to files on their local computer. This was a feature that was implemented by popular request. There are measures in place to mitigate security risks such as a dialog to confirm whether a file with an unknown file extension should be opened.
+
+### Is DLL sideloading a security vulnerability?
+
+No. This is an Electron issue and not one they will fix: https://github.com/electron/electron/issues/28384
+
+See also [Physically-local attacks](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)
+
+### Is local data not being encrypted a security vulnerability?
+
+No, but you should use disk encryption. See also [Physically-local attacks](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)
+
 ## Bounty
 
 We **do not** offer a bounty for discovering vulnerabilities, please do not ask. We can however credit you and link to your website in the changelog and release announcement.