From 84e35aa63fb4412db6f9dbfb51c6f71e635e10dd Mon Sep 17 00:00:00 2001 From: Mike McQuaid Date: Wed, 27 May 2026 15:55:41 +0100 Subject: [PATCH 1/2] Clarify security report evidence - Explain why scanner-only reports need independent proof. - Direct Apple malware reports and malicious ads to vendors. --- SECURITY.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 0afaab78..86b70f37 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -69,6 +69,16 @@ A bug that depends on using an untrusted tap, mirror, wrapper, fork, checkout or Malware, unwanted behaviour, vulnerable upstream releases, malicious install scripts, vulnerable casks or dangerous upstream build systems are not Homebrew security issues by themselves. Homebrew packages third-party software selected by users; removal or metadata changes for problematic packages should be handled in public issues or pull requests. +### Antivirus and VirusTotal Detections + +Reports based only on third-party scanner output, such as VirusTotal, Intego, ClamAV or other antivirus detections on a Homebrew-installed file, are not Homebrew security issues by themselves. File hashes and scanner result permalinks help identify the sample, but they are not sufficient evidence that it is malware. Reports need independent verification that the file is malicious and that a Homebrew-maintained security boundary was violated. To date, every Homebrew report based only on third-party antivirus detections of installed files has been a false positive. Reports from Apple's built-in macOS malware protection should be reported to Apple rather than Homebrew. If they are also sent to Homebrew, we may consider them because it is part of macOS and we have not seen false positives from it so far. + +Useful supporting evidence may include reverse engineering showing malicious code or behaviour, observed malicious runtime behaviour such as network exfiltration or persistence and analysis tying the issue to Homebrew-maintained code, metadata, bottles, release infrastructure or checksum verification. Reports are not useful when they only name a detected malware family, repeat a generic malware description or use `brew install` plus a scan as the proof of concept. + +### Malicious Search Advertisements + +Malicious search results, sponsored links, advertisements or lookalike websites that impersonate Homebrew are not Homebrew security issues unless Homebrew-maintained infrastructure or domains are compromised. We are aware that Google sells malicious search result advertisements targeting Homebrew search terms. Homebrew cannot control or remove advertisements sold by Google or other advertising platforms. Report malicious advertisements to Google or the relevant advertising platform, not Homebrew. + ### Software Not Written by Homebrew Security vulnerabilities in software used by but not written by Homebrew are not Homebrew security issues. Report these to the affected upstream project instead. From 8f436577ff2d48e4d98411c4baa5656c03e9584b Mon Sep 17 00:00:00 2001 From: Mike McQuaid Date: Wed, 27 May 2026 19:13:56 +0100 Subject: [PATCH 2/2] SECURITY: improve wording. Co-authored-by: Patrick Linnane --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 86b70f37..14c8e6c0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -71,13 +71,13 @@ Malware, unwanted behaviour, vulnerable upstream releases, malicious install scr ### Antivirus and VirusTotal Detections -Reports based only on third-party scanner output, such as VirusTotal, Intego, ClamAV or other antivirus detections on a Homebrew-installed file, are not Homebrew security issues by themselves. File hashes and scanner result permalinks help identify the sample, but they are not sufficient evidence that it is malware. Reports need independent verification that the file is malicious and that a Homebrew-maintained security boundary was violated. To date, every Homebrew report based only on third-party antivirus detections of installed files has been a false positive. Reports from Apple's built-in macOS malware protection should be reported to Apple rather than Homebrew. If they are also sent to Homebrew, we may consider them because it is part of macOS and we have not seen false positives from it so far. +Reports based only on third-party scanner output, such as VirusTotal, Intego, ClamAV or other antivirus detections on a Homebrew-installed file, are not Homebrew security issues by themselves. File hashes and scanner result permalinks help identify the sample, but they are not sufficient evidence that it is malware. Reports need independent verification that the file is malicious and that a Homebrew-maintained security boundary was violated. To date, every Homebrew report based only on third-party antivirus detections of installed files has been a false positive. Reports from Apple's built-in macOS malware protection should be filed with Apple. We may also act on such reports if shared with Homebrew, since the signal comes from Apple itself and we have not seen false positives from it to date. Useful supporting evidence may include reverse engineering showing malicious code or behaviour, observed malicious runtime behaviour such as network exfiltration or persistence and analysis tying the issue to Homebrew-maintained code, metadata, bottles, release infrastructure or checksum verification. Reports are not useful when they only name a detected malware family, repeat a generic malware description or use `brew install` plus a scan as the proof of concept. ### Malicious Search Advertisements -Malicious search results, sponsored links, advertisements or lookalike websites that impersonate Homebrew are not Homebrew security issues unless Homebrew-maintained infrastructure or domains are compromised. We are aware that Google sells malicious search result advertisements targeting Homebrew search terms. Homebrew cannot control or remove advertisements sold by Google or other advertising platforms. Report malicious advertisements to Google or the relevant advertising platform, not Homebrew. +Malicious search results, sponsored links, advertisements or lookalike websites that impersonate Homebrew are not Homebrew security issues unless Homebrew-maintained infrastructure or domains are compromised. We are aware that Google sells malicious search result advertisements targeting Homebrew search terms. Homebrew does not purchase advertising; any sponsored result claiming to be Homebrew is fraudulent by definition. Homebrew cannot control or remove advertisements sold by Google or other advertising platforms. Report malicious advertisements to Google or the relevant advertising platform, not Homebrew. ### Software Not Written by Homebrew