We take the security of cryptography seriously. The following are a set of policies we have adopted to ensure that security issues are addressed in a timely fashion.
Anytime it’s possible to write code using cryptography‘s public API which does not provide the guarantees that a reasonable developer would expect it to based on our documentation.
That’s a bit academic, but basically it means the scope of what we consider a vulnerability is broad, and we do not require a proof of concept or even a specific exploit, merely a reasonable threat model under which cryptography could be attacked.
To give a few examples of things we would consider security issues:
Examples of things we wouldn’t consider security issues:
In general, if you’re unsure, we request that you to default to treating things as security issues and handling them sensitively, the worst thing that can happen is that we’ll ask you to file a public issue.
We ask that you do not report security issues to our normal GitHub issue tracker.
If you believe you’ve identified a security issue with cryptography, please report it to alex.gaynor@gmail.com. Messages may be optionally encrypted with PGP using key fingerprint F7FC 698F AAE2 D2EF BECD E98E D1B3 ADC0 E023 8CA6 (this public key is available from most commonly-used key servers).
Once you’ve submitted an issue via email, you should receive an acknowledgment within 48 hours, and depending on the action to be taken, you may receive further follow-up emails.
At any given time, we will provide security support for the master branch as well as the most recent release.
As of version 0.5, cryptography statically links OpenSSL on Windows, and as of version 1.0.1 on macOS, to ease installation. Due to this, cryptography will release a new version whenever OpenSSL has a security or bug fix release to avoid shipping insecure software.
Like all our other releases, this will be announced on the mailing list and we strongly recommend that you upgrade as soon as possible.
Our process for taking a security issue from private discussion to public disclosure involves multiple steps.
Approximately one week before full public disclosure, we will send advance notification of the issue to a list of people and organizations, primarily composed of operating-system vendors and other distributors of cryptography. This notification will consist of an email message containing:
Simultaneously, the reporter of the issue will receive notification of the date on which we plan to take the issue public.
On the day of disclosure, we will take the following steps:
If a reported issue is believed to be particularly time-sensitive – due to a known exploit in the wild, for example – the time between advance notification and public disclosure may be shortened considerably.
The list of people and organizations who receives advanced notification of security issues is not and will not be made public. This list generally consists of high-profile downstream distributors and is entirely at the discretion of the cryptography team.