| Alex Gaynor | 99b69d9 | 2013-10-19 17:52:58 -0700 | [diff] [blame] | 1 | Security |
| 2 | ======== |
| 3 | |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 4 | We take the security of ``cryptography`` seriously. The following are a set of |
| 5 | policies we have adopted to ensure that security issues are addressed in a |
| 6 | timely fashion. |
| 7 | |
| 8 | Reporting a security issue |
| 9 | -------------------------- |
| 10 | |
| 11 | We ask that you do not report security issues to our normal GitHub issue |
| 12 | tracker. |
| 13 | |
| 14 | If you believe you've identified a security issue with ``cryptography``, please |
| Alex Gaynor | 09dd287 | 2014-10-22 14:15:43 -0700 | [diff] [blame] | 15 | report it to ``alex.gaynor@gmail.com``. Messages may be optionally encrypted |
| 16 | with PGP using key fingerprint |
| 17 | ``E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084`` (this public key is |
| 18 | available from most commonly-used key servers). |
| Alex Gaynor | 99b69d9 | 2013-10-19 17:52:58 -0700 | [diff] [blame] | 19 | |
| Alex Gaynor | 9cd4b21 | 2014-01-10 06:54:21 -0800 | [diff] [blame] | 20 | Once you've submitted an issue via email, you should receive an acknowledgment |
| Alex Gaynor | 99b69d9 | 2013-10-19 17:52:58 -0700 | [diff] [blame] | 21 | within 48 hours, and depending on the action to be taken, you may receive |
| Alex Gaynor | 59075df | 2014-01-10 11:40:03 -0800 | [diff] [blame] | 22 | further follow-up emails. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 23 | |
| 24 | Supported Versions |
| 25 | ------------------ |
| 26 | |
| 27 | At any given time, we will provide security support for the `master`_ branch |
| 28 | as well as the 2 most recent releases. |
| 29 | |
| Terry Chia | 81fed66 | 2014-07-07 11:25:51 +0800 | [diff] [blame] | 30 | New releases for OpenSSL updates |
| 31 | -------------------------------- |
| 32 | |
| Alex Gaynor | 84cd139 | 2015-09-25 10:06:30 -0400 | [diff] [blame^] | 33 | As of version 0.5, ``cryptography`` statically links OpenSSL on Windows, and as |
| 34 | of version 1.0.1 on OS X, to ease installation. Due to this, ``cryptography`` |
| 35 | will release a new version whenever OpenSSL has a security or bug fix release to |
| 36 | avoid shipping insecure software. |
| Terry Chia | 81fed66 | 2014-07-07 11:25:51 +0800 | [diff] [blame] | 37 | |
| 38 | Like all our other releases, this will be announced on the mailing list and we |
| 39 | strongly recommend that you upgrade as soon as possible. |
| 40 | |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 41 | Disclosure Process |
| 42 | ------------------ |
| 43 | |
| 44 | Our process for taking a security issue from private discussion to public |
| 45 | disclosure involves multiple steps. |
| 46 | |
| 47 | Approximately one week before full public disclosure, we will send advance |
| 48 | notification of the issue to a list of people and organizations, primarily |
| 49 | composed of operating-system vendors and other distributors of |
| Ayrx | ead04a4 | 2014-06-06 00:59:18 +0800 | [diff] [blame] | 50 | ``cryptography``. This notification will consist of an email message |
| 51 | containing: |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 52 | |
| 53 | * A full description of the issue and the affected versions of |
| 54 | ``cryptography``. |
| 55 | * The steps we will be taking to remedy the issue. |
| Ayrx | 189f170 | 2014-06-05 18:16:36 +0800 | [diff] [blame] | 56 | * The patches, if any, that will be applied to ``cryptography``. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 57 | * The date on which the ``cryptography`` team will apply these patches, issue |
| Alex Gaynor | e2f523a | 2014-06-05 13:09:47 -0700 | [diff] [blame] | 58 | new releases, and publicly disclose the issue. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 59 | |
| 60 | Simultaneously, the reporter of the issue will receive notification of the date |
| 61 | on which we plan to take the issue public. |
| 62 | |
| 63 | On the day of disclosure, we will take the following steps: |
| 64 | |
| Ayrx | 189f170 | 2014-06-05 18:16:36 +0800 | [diff] [blame] | 65 | * Apply the relevant patches to the ``cryptography`` repository. The commit |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 66 | messages for these patches will indicate that they are for security issues, |
| 67 | but will not describe the issue in any detail; instead, they will warn of |
| 68 | upcoming disclosure. |
| Ayrx | 189f170 | 2014-06-05 18:16:36 +0800 | [diff] [blame] | 69 | * Issue the relevant releases. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 70 | * Post a notice to the cryptography mailing list that describes the issue in |
| 71 | detail, point to the new release and crediting the reporter of the issue. |
| 72 | |
| 73 | If a reported issue is believed to be particularly time-sensitive – due to a |
| 74 | known exploit in the wild, for example – the time between advance notification |
| 75 | and public disclosure may be shortened considerably. |
| 76 | |
| 77 | The list of people and organizations who receives advanced notification of |
| 78 | security issues is not and will not be made public. This list generally |
| 79 | consists of high profile downstream distributors and is entirely at the |
| 80 | discretion of the ``cryptography`` team. |
| 81 | |
| 82 | .. _`master`: https://github.com/pyca/cryptography |