github: Add security policy

Tobias Brunner 2 years ago
parent ebf13f4caf
commit 27544f7bd9
  1. 48

@ -0,0 +1,48 @@
# Security Policy
## Reporting a Vulnerability
Please report any security-relevant flaw to Whenever
possible encrypt your email with the [PGP key](
with key ID 0x1EB41ECF25A536E4.
## Severity Classification
* **High Severity Flaw**
* Allows remote access to the VPN with improper, missing, or invalid
* Allows local escalation of privileges on the server
* Plain text traffic on the secure interface
* Key generation and crypto flaws that reduce the difficulty in decrypting
secure traffic
* **Medium Severity Flaw**
* Remotely crashing the strongSwan daemon, which would allow DoS attacks on
the VPN service
* **Low Severity Flaw**
* All other minor issues not directly compromising security or availability
of the strongSwan daemon or the host the daemon is running on
## Action Taken
For **high** and **medium** severity vulnerabilities we are generally going to
apply for a [CVE Identifier]( first.
Next we notify all known strongSwan customers and the major Linux
distributions, giving them a time of about three weeks to patch their software
release. On a predetermined date, we officially issue an advisory and a patch
for the vulnerability and usually a new stable strongSwan release containing
the security fix.
Minor vulnerabilities of **low** severity usually will be fixed immediately
in our repository and released with the next stable release.
## List of Reported and Fixed Security Flaws
A list of all reported strongSwan high and medium security flaws may be
found in the [CVE database](
The corresponding security patches are published on