Archives/opensense-docs
2
0
Fork 0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00
Code Issues Projects Releases Wiki Activity
8a518cba3e
opensense-docs/source/security.rst
Ad Schellevis 8a518cba3e add security menu
2022-05-31 09:51:01 +02:00

93 lines
3.6 KiB
ReStructuredText
Raw Blame History

====================================
Security
====================================
.. contents:: Index
------------------------------------------------------------
Intro
------------------------------------------------------------
As your trusted opensource security product, we do care a lot about security and with our regular release schedule we
try to stay ahead of possible incidents. Even though we are cautious and stay informed, sometimes issues
do ocure, in which case it's good to know what to do.
------------------------------------------------------------
Staying ahead
------------------------------------------------------------
Even though we always encourage people to update regularly, sometimes it's not possible to do so for various reasons.
Luckily OPNsense comes with an integrated security check for know vulnerabilities, which can be found in our firmware
module. In which case you do have the opportunity to validate for yourself what the risk is to keep using the
current version for a bit longer.
You can reach it via :menuselection:`System -> Firmware` in the status pane, the button "Run an Audit"
will bring you right into the security report.
If all goes well, a report like the one below will be shown:
.. code-block::
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 22.1.8_1 (amd64/OpenSSL) at Tue May 31 09:01:04 CEST 2022
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
***DONE***
.. Note::
We do not offer community support on assessing if incidents on older versions do warrant an immediate upgrade on your
end as this often depends on features used and settings configured. Our advise always will be to upgrade into the
latest community or business version.
.. Warning::
Please don't report issues to us reported by the security health check, they are already known and highly likely
a fix is pending for the next release.
------------------------------------------------------------
Upstream vulnerabilities
------------------------------------------------------------
Since OPNsense is a collection of opensource software, when finding an issue, it is always a good idea to
inspect where is should be fixed first. In case you don't know or aren't sure, you can still ask on our end, just
know that we don't have the manpower to act as an intermediate between various projects.
------------------------------------------------------------
Reporting an incident
------------------------------------------------------------
Security incidents on our product can be reported to our security team available at **security** @ **opnsense.org**.
All reports should contain at least the following information:
* A clear description of the vulnerability at hand
* Which version(s) of our product seem to be affected
* Any known workaround
* When possible, some example code
Our GPG information for delivering encrypted emails is as follows:
* GPG Key ID: D3C7FBDB
* GPG Fingerprint: 97D5 0C7F EC38 22D0 85AE 51B1 C271 8D7A D3C7 FBDB
------------------------------------------------------------
Information handling policies
------------------------------------------------------------
As a general policy we do favor full disclosure of vulnerability information after a reasonable amount of time to permit
safe analysis and correction as well as appropriate testing for the correction at hand.
In order to coordinate with other affected parties, we might share parts of the information provided to us to them as well
or ask the reporter to do so.
When the submitter is interested in a coordinated disclosure process, this should be indicated in any submission to avoid
discussions later on.
Reference in New Issue View Git Blame Copy Permalink