internal(security): update security policy with threat model

[christian-bromann]

Proposed changes

This PR introduces a comprehensive security policy for the WebdriverIO project that replaces the minimal security reporting document with a detailed threat model analysis. The updated security documentation provides:

• Comprehensive threat model using STRIDE methodology identifying 16 distinct security threats
• Detailed attack surface analysis covering both external and internal attack vectors
• Prioritized threat assessment with critical, high, and medium priority categorization
• Concrete mitigation strategies with code examples and implementation guidance
• Security configuration templates for safe WebdriverIO setup
• Supply chain security analysis addressing insider threats and dependency risks
• Operational security guidelines for development and deployment

The security policy addresses key vulnerabilities including credential theft, prototype pollution, malicious plugin loading, command injection, and sensitive data exposure in logs. It provides both immediate actionable security measures and future security considerations for the framework.

Types of changes

• Polish (an improvement for an existing feature)
• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update (improvements to the project's docs)
• Specification changes (updates to WebDriver command specifications)
• Internal updates (everything related to internal scripts, governance documentation and CI files)

Checklist

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have added the necessary documentation (if appropriate)
• I have added proper type definitions for new commands (if appropriate)

Backport Request

//: # (The current main branch is the development branch for WebdriverIO v9. If your change should be released to the current major version of WebdriverIO (v8), please raise another PR with the same changes against the v8 branch.)

• This change is solely for v9 and doesn't need to be back-ported
• Back-ported PR at #XXXXX

Further comments

This security policy establishes WebdriverIO's commitment to security best practices and provides users with comprehensive guidance on secure usage. The document identifies 16 specific security threats (T-01 through T-16) with detailed mitigation strategies, making it a valuable resource for both developers and security teams.

Key highlights include:

• Built-in security features documentation: Covers existing log masking capabilities and secure configuration patterns
• Threat prioritization: 8 critical/high priority threats requiring immediate attention
• Code examples: Practical security implementations for common scenarios
• Supply chain analysis: Addresses risks from dependencies and plugin ecosystems
• Future security roadmap: Identifies areas for framework enhancement

The policy is designed to be a living document that will be updated regularly as new threats emerge and security measures evolve.

Reviewers: @webdriverio/project-committers

[pkg-pr-new]

Open in StackBlitz

eslint-plugin-wdio

npm i https://pkg.pr.new/webdriverio/webdriverio/eslint-plugin-wdio@14593

@wdio/allure-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/allure-reporter@14593

@wdio/appium-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/appium-service@14593

@wdio/browser-runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/browser-runner@14593

@wdio/browserstack-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/browserstack-service@14593

@wdio/cli

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/cli@14593

@wdio/concise-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/concise-reporter@14593

@wdio/config

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/config@14593

@wdio/cucumber-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/cucumber-framework@14593

@wdio/dot-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/dot-reporter@14593

@wdio/firefox-profile-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/firefox-profile-service@14593

@wdio/globals

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/globals@14593

@wdio/jasmine-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/jasmine-framework@14593

@wdio/json-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/json-reporter@14593

@wdio/junit-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/junit-reporter@14593

@wdio/lighthouse-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/lighthouse-service@14593

@wdio/local-runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/local-runner@14593

@wdio/logger

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/logger@14593

@wdio/mocha-framework

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/mocha-framework@14593

@wdio/protocols

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/protocols@14593

@wdio/repl

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/repl@14593

@wdio/reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/reporter@14593

@wdio/runner

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/runner@14593

@wdio/sauce-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/sauce-service@14593

@wdio/shared-store-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/shared-store-service@14593

@wdio/smoke-test-cjs-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-cjs-service@14593

@wdio/smoke-test-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-reporter@14593

@wdio/smoke-test-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/smoke-test-service@14593

@wdio/spec-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/spec-reporter@14593

@wdio/static-server-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/static-server-service@14593

@wdio/sumologic-reporter

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/sumologic-reporter@14593

@wdio/testingbot-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/testingbot-service@14593

@wdio/types

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/types@14593

@wdio/utils

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/utils@14593

@wdio/webdriver-mock-service

npm i https://pkg.pr.new/webdriverio/webdriverio/@wdio/webdriver-mock-service@14593

webdriver

npm i https://pkg.pr.new/webdriverio/webdriverio/webdriver@14593

webdriverio

npm i https://pkg.pr.new/webdriverio/webdriverio@14593

commit: b69a314