2013-10-20 00:52:58 +00:00
|
|
|
Security
|
|
|
|
|
========
|
|
|
|
|
|
2014-06-05 09:11:59 +00:00
|
|
|
We take the security of ``cryptography`` seriously. The following are a set of
|
|
|
|
|
policies we have adopted to ensure that security issues are addressed in a
|
|
|
|
|
timely fashion.
|
|
|
|
|
|
2023-06-10 20:12:44 +00:00
|
|
|
Known vulnerabilities
|
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
|
|
A list of all known vulnerabilities in ``cryptography`` can be found on
|
|
|
|
|
`osv.dev`_, as well as other ecosystem vulnerability databases. They can
|
|
|
|
|
automatically be scanned for using tools such as `pip-audit`_ or `osv-scan`_.
|
|
|
|
|
|
2017-08-23 20:46:55 +00:00
|
|
|
Infrastructure
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
In addition to ``cryptography``'s code, we're also concerned with the security
|
2019-05-26 14:35:00 +00:00
|
|
|
of the infrastructure we run (primarily ``cryptography.io``). If you discover
|
|
|
|
|
a security vulnerability in our infrastructure, we ask you to report it using
|
|
|
|
|
the same procedure.
|
2017-08-23 20:46:55 +00:00
|
|
|
|
2016-02-19 11:34:39 +00:00
|
|
|
What is a security issue?
|
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
|
|
Anytime it's possible to write code using ``cryptography``'s public API which
|
2016-02-19 12:06:54 +00:00
|
|
|
does not provide the guarantees that a reasonable developer would expect it to
|
2016-02-19 11:34:39 +00:00
|
|
|
based on our documentation.
|
|
|
|
|
|
|
|
|
|
That's a bit academic, but basically it means the scope of what we consider a
|
|
|
|
|
vulnerability is broad, and we do not require a proof of concept or even a
|
|
|
|
|
specific exploit, merely a reasonable threat model under which ``cryptography``
|
|
|
|
|
could be attacked.
|
|
|
|
|
|
|
|
|
|
To give a few examples of things we would consider security issues:
|
|
|
|
|
|
|
|
|
|
* If a recipe, such as Fernet, made it easy for a user to bypass
|
|
|
|
|
confidentiality or integrity with the public API (e.g. if the API let a user
|
|
|
|
|
reuse nonces).
|
|
|
|
|
* If, under any circumstances, we used a CSPRNG which wasn't fork-safe.
|
|
|
|
|
* If ``cryptography`` used an API in an underlying C library and failed to
|
|
|
|
|
handle error conditions safely.
|
|
|
|
|
|
|
|
|
|
Examples of things we wouldn't consider security issues:
|
|
|
|
|
|
2016-02-19 12:11:03 +00:00
|
|
|
* Offering ECB mode for symmetric encryption in the *Hazmat* layer. Though ECB
|
|
|
|
|
is critically weak, it is documented as being weak in our documentation.
|
2016-02-19 11:34:39 +00:00
|
|
|
* Using a variable time comparison somewhere, if it's not possible to
|
|
|
|
|
articulate any particular program in which this would result in problematic
|
|
|
|
|
information disclosure.
|
|
|
|
|
|
|
|
|
|
In general, if you're unsure, we request that you to default to treating things
|
|
|
|
|
as security issues and handling them sensitively, the worst thing that can
|
2017-03-25 01:03:15 +00:00
|
|
|
happen is that we'll ask you to file a public issue.
|
2016-02-19 11:34:39 +00:00
|
|
|
|
2014-06-05 09:11:59 +00:00
|
|
|
Reporting a security issue
|
|
|
|
|
--------------------------
|
|
|
|
|
|
|
|
|
|
We ask that you do not report security issues to our normal GitHub issue
|
|
|
|
|
tracker.
|
|
|
|
|
|
2023-01-31 02:57:19 +00:00
|
|
|
If you believe you've identified a security issue with ``cryptography``,
|
|
|
|
|
please report it via our `security advisory page`_.
|
2013-10-20 00:52:58 +00:00
|
|
|
|
2023-01-31 02:57:19 +00:00
|
|
|
Once you've submitted an issue, you should receive an acknowledgment within 48
|
|
|
|
|
hours, and depending on the action to be taken, you may receive further
|
|
|
|
|
follow-up.
|
2014-06-05 09:11:59 +00:00
|
|
|
|
|
|
|
|
Supported Versions
|
|
|
|
|
------------------
|
|
|
|
|
|
2021-02-12 03:15:39 +00:00
|
|
|
At any given time, we will provide security support for the `main`_ branch
|
2016-02-19 11:34:39 +00:00
|
|
|
as well as the most recent release.
|
2014-06-05 09:11:59 +00:00
|
|
|
|
2014-07-07 03:25:51 +00:00
|
|
|
New releases for OpenSSL updates
|
|
|
|
|
--------------------------------
|
|
|
|
|
|
2017-10-05 01:25:55 +00:00
|
|
|
As of versions 0.5, 1.0.1, and 2.0.0, ``cryptography`` statically links OpenSSL
|
2020-06-03 16:15:28 +00:00
|
|
|
in binary distributions for Windows, macOS, and Linux respectively, to ease
|
|
|
|
|
installation. Due to this, ``cryptography`` will release a new version whenever
|
|
|
|
|
OpenSSL has a security or bug fix release to avoid shipping insecure software.
|
2014-07-07 03:25:51 +00:00
|
|
|
|
|
|
|
|
Like all our other releases, this will be announced on the mailing list and we
|
|
|
|
|
strongly recommend that you upgrade as soon as possible.
|
|
|
|
|
|
2014-06-05 09:11:59 +00:00
|
|
|
Disclosure Process
|
|
|
|
|
------------------
|
|
|
|
|
|
2018-08-30 15:46:41 +00:00
|
|
|
When we become aware of a security bug in ``cryptography``, we will endeavor to
|
|
|
|
|
fix it and issue a release as quickly as possible. We will generally issue a new
|
|
|
|
|
release for any security issue.
|
|
|
|
|
|
|
|
|
|
The steps for issuing a security release are described in our
|
|
|
|
|
:doc:`/doing-a-release` documentation.
|
|
|
|
|
|
2014-06-05 09:11:59 +00:00
|
|
|
|
2023-06-10 20:12:44 +00:00
|
|
|
.. _`osv.dev`: https://osv.dev/list?ecosystem=PyPI&q=cryptography
|
|
|
|
|
.. _`pip-audit`: https://pypi.org/project/pip-audit/
|
|
|
|
|
.. _`osv-scan`: https://google.github.io/osv-scanner/
|
2023-01-31 02:57:19 +00:00
|
|
|
.. _`security advisory page`: https://github.com/pyca/cryptography/security/advisories/new
|
2021-02-12 03:15:39 +00:00
|
|
|
.. _`main`: https://github.com/pyca/cryptography
|
