| Alex Gaynor | 99b69d9 | 2013-10-19 17:52:58 -0700 | [diff] [blame] | 1 | Security |
| 2 | ======== |
| 3 | |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 4 | We take the security of ``cryptography`` seriously. The following are a set of |
| 5 | policies we have adopted to ensure that security issues are addressed in a |
| 6 | timely fashion. |
| 7 | |
| 8 | Reporting a security issue |
| 9 | -------------------------- |
| 10 | |
| 11 | We ask that you do not report security issues to our normal GitHub issue |
| 12 | tracker. |
| 13 | |
| 14 | If you believe you've identified a security issue with ``cryptography``, please |
| 15 | report it to ``alex.gaynor@gmail.com``. Message may be optionally be encrypted |
| 16 | with PGP using key fingerprint |
| 17 | ``E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084`` |
| 18 | (this public key is available from most commonly-used key servers). |
| Alex Gaynor | 99b69d9 | 2013-10-19 17:52:58 -0700 | [diff] [blame] | 19 | |
| Alex Gaynor | 9cd4b21 | 2014-01-10 06:54:21 -0800 | [diff] [blame] | 20 | Once you've submitted an issue via email, you should receive an acknowledgment |
| Alex Gaynor | 99b69d9 | 2013-10-19 17:52:58 -0700 | [diff] [blame] | 21 | within 48 hours, and depending on the action to be taken, you may receive |
| Alex Gaynor | 59075df | 2014-01-10 11:40:03 -0800 | [diff] [blame] | 22 | further follow-up emails. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 23 | |
| 24 | Supported Versions |
| 25 | ------------------ |
| 26 | |
| 27 | At any given time, we will provide security support for the `master`_ branch |
| 28 | as well as the 2 most recent releases. |
| 29 | |
| Terry Chia | 81fed66 | 2014-07-07 11:25:51 +0800 | [diff] [blame] | 30 | New releases for OpenSSL updates |
| 31 | -------------------------------- |
| 32 | |
| 33 | As of version 0.5, ``cryptography`` statically links OpenSSL on Windows to ease |
| 34 | installation. Due to this, ``cryptography`` will release a new version whenever |
| 35 | OpenSSL has a security or bug fix release to avoid shipping insecure software. |
| 36 | |
| 37 | Like all our other releases, this will be announced on the mailing list and we |
| 38 | strongly recommend that you upgrade as soon as possible. |
| 39 | |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 40 | Disclosure Process |
| 41 | ------------------ |
| 42 | |
| 43 | Our process for taking a security issue from private discussion to public |
| 44 | disclosure involves multiple steps. |
| 45 | |
| 46 | Approximately one week before full public disclosure, we will send advance |
| 47 | notification of the issue to a list of people and organizations, primarily |
| 48 | composed of operating-system vendors and other distributors of |
| Ayrx | ead04a4 | 2014-06-06 00:59:18 +0800 | [diff] [blame] | 49 | ``cryptography``. This notification will consist of an email message |
| 50 | containing: |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 51 | |
| 52 | * A full description of the issue and the affected versions of |
| 53 | ``cryptography``. |
| 54 | * The steps we will be taking to remedy the issue. |
| Ayrx | 189f170 | 2014-06-05 18:16:36 +0800 | [diff] [blame] | 55 | * The patches, if any, that will be applied to ``cryptography``. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 56 | * The date on which the ``cryptography`` team will apply these patches, issue |
| Alex Gaynor | e2f523a | 2014-06-05 13:09:47 -0700 | [diff] [blame] | 57 | new releases, and publicly disclose the issue. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 58 | |
| 59 | Simultaneously, the reporter of the issue will receive notification of the date |
| 60 | on which we plan to take the issue public. |
| 61 | |
| 62 | On the day of disclosure, we will take the following steps: |
| 63 | |
| Ayrx | 189f170 | 2014-06-05 18:16:36 +0800 | [diff] [blame] | 64 | * Apply the relevant patches to the ``cryptography`` repository. The commit |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 65 | messages for these patches will indicate that they are for security issues, |
| 66 | but will not describe the issue in any detail; instead, they will warn of |
| 67 | upcoming disclosure. |
| Ayrx | 189f170 | 2014-06-05 18:16:36 +0800 | [diff] [blame] | 68 | * Issue the relevant releases. |
| Ayrx | ffd8d43 | 2014-06-05 17:11:59 +0800 | [diff] [blame] | 69 | * Post a notice to the cryptography mailing list that describes the issue in |
| 70 | detail, point to the new release and crediting the reporter of the issue. |
| 71 | |
| 72 | If a reported issue is believed to be particularly time-sensitive – due to a |
| 73 | known exploit in the wild, for example – the time between advance notification |
| 74 | and public disclosure may be shortened considerably. |
| 75 | |
| 76 | The list of people and organizations who receives advanced notification of |
| 77 | security issues is not and will not be made public. This list generally |
| 78 | consists of high profile downstream distributors and is entirely at the |
| 79 | discretion of the ``cryptography`` team. |
| 80 | |
| 81 | .. _`master`: https://github.com/pyca/cryptography |