github: Add security policy
This commit is contained in:
parent
ebf13f4caf
commit
27544f7bd9
|
@ -0,0 +1,48 @@
|
|||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please report any security-relevant flaw to security@strongswan.org. Whenever
|
||||
possible encrypt your email with the [PGP key](https://pgp.key-server.io/0x1EB41ECF25A536E4)
|
||||
with key ID 0x1EB41ECF25A536E4.
|
||||
|
||||
## Severity Classification
|
||||
|
||||
* **High Severity Flaw**
|
||||
|
||||
* Allows remote access to the VPN with improper, missing, or invalid
|
||||
credentials
|
||||
* Allows local escalation of privileges on the server
|
||||
* Plain text traffic on the secure interface
|
||||
* Key generation and crypto flaws that reduce the difficulty in decrypting
|
||||
secure traffic
|
||||
|
||||
* **Medium Severity Flaw**
|
||||
|
||||
* Remotely crashing the strongSwan daemon, which would allow DoS attacks on
|
||||
the VPN service
|
||||
|
||||
* **Low Severity Flaw**
|
||||
|
||||
* All other minor issues not directly compromising security or availability
|
||||
of the strongSwan daemon or the host the daemon is running on
|
||||
|
||||
## Action Taken
|
||||
|
||||
For **high** and **medium** severity vulnerabilities we are generally going to
|
||||
apply for a [CVE Identifier](https://cve.mitre.org/cve/identifiers/) first.
|
||||
Next we notify all known strongSwan customers and the major Linux
|
||||
distributions, giving them a time of about three weeks to patch their software
|
||||
release. On a predetermined date, we officially issue an advisory and a patch
|
||||
for the vulnerability and usually a new stable strongSwan release containing
|
||||
the security fix.
|
||||
|
||||
Minor vulnerabilities of **low** severity usually will be fixed immediately
|
||||
in our repository and released with the next stable release.
|
||||
|
||||
## List of Reported and Fixed Security Flaws
|
||||
|
||||
A list of all reported strongSwan high and medium security flaws may be
|
||||
found in the [CVE database](https://nvd.nist.gov/vuln/search/results?query=strongswan).
|
||||
|
||||
The corresponding security patches are published on https://download.strongswan.org/security/.
|
Loading…
Reference in New Issue