diff --git a/web/documentation/security.org b/web/documentation/security.org index 5924dc6..67e25d0 100644 --- a/web/documentation/security.org +++ b/web/documentation/security.org @@ -1,32 +1,43 @@ #+TITLE: GnuPG - Security #+STARTUP: showall #+SETUPFILE: "../share/setup.inc" * Security The GnuPG Project takes the security of software it develops very seriously. In general we prefer a [[https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)][full disclosure]] approach and all bugs listed in our [[file:bts.org][bug tracker]] as well as code changes in our [[../download/git.org][software repository]] are public. Given that GnuPG is an important part of many software distributions and severe bugs in GnuPG would affect their users directly, we co-ordinate with them in private as soon as we learn about a severe vulnerability. Sometimes we receive pre-notifications of research which may lead to a new kind of vulnerability. In these cases we may work with the researchers in private on a solution and co-ordinate our fix release with them. + +** Threat Model of libgcrypt + +For libgcrypt, as its a library, it is intended to be used widely. +Thus, users can run the code in any environments as they wish. +However, there are hardware which may allow access to fine-grained +side channel. Those hardware related threats are out of the scope of +libgcrypt threat model. It's up to users not to offer any access to +those side channels in such use cases. + + ** Security contact If you found a *severe* security problem and you do not want to publish it, please report it by mail to security at gnupg.org. We prefer reports in plain text format; if needed we can also work with PDF files. For security reasons we won't read any other complex data formats (e.g. docx or odt). Note that we do not use a team OpenPGP key. Thus please write a non-encrypted message to the security address and ask for the keys of the developers at duty and then encrypt the mail to all of them. A list of our core developers can be found [[../people/index.org][here]]; they are all active on the gnupg-devel mailing list.