[thirdparty/strongswan.git] / SECURITY.md

# Security Policy

## Reporting a Vulnerability

Please report any security-relevant flaw to security@strongswan.org. Whenever
possible encrypt your email with the [PGP key](https://download.strongswan.org/STRONGSWAN-SECURITY-PGP-KEY)
with key ID 0x1EB41ECF25A536E4.

## Severity Classification

* **High Severity Flaw**

    * Allows remote access to the VPN with improper, missing, or invalid
      credentials
    * Allows local escalation of privileges on the server
    * Plain text traffic on the secure interface
    * Key generation and crypto flaws that reduce the difficulty in decrypting
      secure traffic

* **Medium Severity Flaw**

    * Remotely crashing the strongSwan daemon, which would allow DoS attacks on
      the VPN service

* **Low Severity Flaw**

    * All other minor issues not directly compromising security or availability
      of the strongSwan daemon or the host the daemon is running on

## Action Taken

For **high** and **medium** severity vulnerabilities we are generally going to
apply for a [CVE Identifier](https://cve.mitre.org/cve/identifiers/) first.
Next we notify all known strongSwan customers and the major Linux
distributions, giving them a time of about three weeks to patch their software
release. On a predetermined date, we officially issue an advisory and a patch
for the vulnerability and usually a new stable strongSwan release containing
the security fix.

Minor vulnerabilities of **low** severity usually will be fixed immediately
in our repository and released with the next stable release.

## List of Reported and Fixed Security Flaws

A list of all reported strongSwan high and medium security flaws may be
found in the [CVE database](https://nvd.nist.gov/vuln/search/results?query=strongswan).

The corresponding security patches are published on https://download.strongswan.org/security/.
Commit	Line	Data
27544f7b TB	1	# Security Policy
	2
	3	## Reporting a Vulnerability
	4
	5	Please report any security-relevant flaw to security@strongswan.org. Whenever
912d0520	6	possible encrypt your email with the [PGP key](https://download.strongswan.org/STRONGSWAN-SECURITY-PGP-KEY)
27544f7b TB	7	with key ID 0x1EB41ECF25A536E4.
	8
	9	## Severity Classification
	10
	11	* High Severity Flaw
	12
	13	* Allows remote access to the VPN with improper, missing, or invalid
	14	credentials
	15	* Allows local escalation of privileges on the server
	16	* Plain text traffic on the secure interface
	17	* Key generation and crypto flaws that reduce the difficulty in decrypting
	18	secure traffic
	19
	20	* Medium Severity Flaw
	21
	22	* Remotely crashing the strongSwan daemon, which would allow DoS attacks on
	23	the VPN service
	24
	25	* Low Severity Flaw
	26
	27	* All other minor issues not directly compromising security or availability
	28	of the strongSwan daemon or the host the daemon is running on
	29
	30	## Action Taken
	31
	32	For high and medium severity vulnerabilities we are generally going to
	33	apply for a [CVE Identifier](https://cve.mitre.org/cve/identifiers/) first.
	34	Next we notify all known strongSwan customers and the major Linux
	35	distributions, giving them a time of about three weeks to patch their software
	36	release. On a predetermined date, we officially issue an advisory and a patch
	37	for the vulnerability and usually a new stable strongSwan release containing
	38	the security fix.
	39
	40	Minor vulnerabilities of low severity usually will be fixed immediately
	41	in our repository and released with the next stable release.
	42
	43	## List of Reported and Fixed Security Flaws
	44
	45	A list of all reported strongSwan high and medium security flaws may be
	46	found in the [CVE database](https://nvd.nist.gov/vuln/search/results?query=strongswan).
	47
	48	The corresponding security patches are published on https://download.strongswan.org/security/.