]>
Commit | Line | Data |
---|---|---|
27544f7b TB |
1 | # Security Policy |
2 | ||
3 | ## Reporting a Vulnerability | |
4 | ||
5 | Please report any security-relevant flaw to security@strongswan.org. Whenever | |
6 | possible encrypt your email with the [PGP key](https://pgp.key-server.io/0x1EB41ECF25A536E4) | |
7 | with key ID 0x1EB41ECF25A536E4. | |
8 | ||
9 | ## Severity Classification | |
10 | ||
11 | * **High Severity Flaw** | |
12 | ||
13 | * Allows remote access to the VPN with improper, missing, or invalid | |
14 | credentials | |
15 | * Allows local escalation of privileges on the server | |
16 | * Plain text traffic on the secure interface | |
17 | * Key generation and crypto flaws that reduce the difficulty in decrypting | |
18 | secure traffic | |
19 | ||
20 | * **Medium Severity Flaw** | |
21 | ||
22 | * Remotely crashing the strongSwan daemon, which would allow DoS attacks on | |
23 | the VPN service | |
24 | ||
25 | * **Low Severity Flaw** | |
26 | ||
27 | * All other minor issues not directly compromising security or availability | |
28 | of the strongSwan daemon or the host the daemon is running on | |
29 | ||
30 | ## Action Taken | |
31 | ||
32 | For **high** and **medium** severity vulnerabilities we are generally going to | |
33 | apply for a [CVE Identifier](https://cve.mitre.org/cve/identifiers/) first. | |
34 | Next we notify all known strongSwan customers and the major Linux | |
35 | distributions, giving them a time of about three weeks to patch their software | |
36 | release. On a predetermined date, we officially issue an advisory and a patch | |
37 | for the vulnerability and usually a new stable strongSwan release containing | |
38 | the security fix. | |
39 | ||
40 | Minor vulnerabilities of **low** severity usually will be fixed immediately | |
41 | in our repository and released with the next stable release. | |
42 | ||
43 | ## List of Reported and Fixed Security Flaws | |
44 | ||
45 | A list of all reported strongSwan high and medium security flaws may be | |
46 | found in the [CVE database](https://nvd.nist.gov/vuln/search/results?query=strongswan). | |
47 | ||
48 | The corresponding security patches are published on https://download.strongswan.org/security/. |