From 27544f7bd9c88eeda911814e1e9daffc1bccabe4 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 21 Jan 2021 17:10:22 +0100
Subject: [PATCH] github: Add security policy

---
 SECURITY.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..a9480d5d4
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,48 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report any security-relevant flaw to security@strongswan.org. Whenever
+possible encrypt your email with the [PGP key](https://pgp.key-server.io/0x1EB41ECF25A536E4)
+with key ID 0x1EB41ECF25A536E4.
+
+## Severity Classification
+
+* **High Severity Flaw**
+
+    * Allows remote access to the VPN with improper, missing, or invalid
+      credentials
+    * Allows local escalation of privileges on the server
+    * Plain text traffic on the secure interface
+    * Key generation and crypto flaws that reduce the difficulty in decrypting
+      secure traffic
+
+* **Medium Severity Flaw**
+
+    * Remotely crashing the strongSwan daemon, which would allow DoS attacks on
+      the VPN service
+
+* **Low Severity Flaw**
+
+    * All other minor issues not directly compromising security or availability
+      of the strongSwan daemon or the host the daemon is running on
+
+## Action Taken
+
+For **high** and **medium** severity vulnerabilities we are generally going to
+apply for a [CVE Identifier](https://cve.mitre.org/cve/identifiers/) first.
+Next we notify all known strongSwan customers and the major Linux
+distributions, giving them a time of about three weeks to patch their software
+release. On a predetermined date, we officially issue an advisory and a patch
+for the vulnerability and usually a new stable strongSwan release containing
+the security fix.
+
+Minor vulnerabilities of **low** severity usually will be fixed immediately
+in our repository and released with the next stable release.
+
+## List of Reported and Fixed Security Flaws
+
+A list of all reported strongSwan high and medium security flaws may be
+found in the [CVE database](https://nvd.nist.gov/vuln/search/results?query=strongswan).
+
+The corresponding security patches are published on https://download.strongswan.org/security/.