From 6491193e7963ea16656874900afcae059469716a Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Fri, 29 May 2026 10:43:02 -0700 Subject: [PATCH 1/3] docs: point security policy to canonical website URL Replace inline SECURITY-POLICY.md with a thin pointer in .github/SECURITY.md to the canonical policy at wolfssl.com/.well-known/vulnerability-disclosure-policy.txt. Keeps PGP key, contact info, and report template reference. Removes SECURITY-POLICY.md (now redundant). --- .github/SECURITY.md | 21 ++++++++++--- SECURITY-POLICY.md | 74 --------------------------------------------- 2 files changed, 16 insertions(+), 79 deletions(-) delete mode 100644 SECURITY-POLICY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md index a5b9a7cf010..4965a9d9c2d 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,12 +2,23 @@ ## Reporting a Vulnerability -**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration. +Report security vulnerabilities to **support@wolfssl.com** or call **+1-425-245-8247**. -Submit the completed template to **support@wolfssl.com**. +Reports may be encrypted with our PGP key: -Non-template submissions may still be reviewed on the merits and, where appropriate, addressed as hardening fixes in a future release. + Fingerprint: A2A4 8E7B CB96 C5BE CB98 7314 EBC8 0E41 5CA2 9677 + Key server: keys.openpgp.org -**Please keep the vulnerability private** until a fix has been released. +## Full Policy -For the full policy — severity rubric, coordinated-disclosure practice, and reporter credit — see [`SECURITY-POLICY.md`](../SECURITY-POLICY.md). +Our coordinated vulnerability disclosure policy — including scope, threat-model +boundaries, response commitments, and EU Cyber Resilience Act obligations — is +published at: + + https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt + +## Report Template + +For CVE consideration, submit a completed +[vulnerability report template](../SECURITY-REPORT-TEMPLATE.md) to +**support@wolfssl.com**. diff --git a/SECURITY-POLICY.md b/SECURITY-POLICY.md deleted file mode 100644 index 8f5c989ca67..00000000000 --- a/SECURITY-POLICY.md +++ /dev/null @@ -1,74 +0,0 @@ -# wolfSSL Security Policy - -## About This Policy - -This document defines how wolfSSL Inc. handles security vulnerabilities in its products: how to report them, how we evaluate them, and how we coordinate disclosure. - -## Reporting a Vulnerability - -**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must be submitted using [`SECURITY-REPORT-TEMPLATE.md`](SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration. - -Submit the completed template to **support@wolfssl.com**. - -Non-template submissions may still be reviewed on the merits and, where appropriate, addressed as hardening fixes in a future release. CVE assignment requires a complete template. - -We aim to acknowledge reports as they come in and engage with reporters throughout triage. Investigations proceed at the pace the material requires. - -## What wolfSSL Treats as a Vulnerability - -wolfSSL files a CVE advisory for defects with meaningful security impact on realistic wolfSSL deployments, where exploitability is demonstrated or clearly analyzable. wolfSSL determines whether a finding meets this bar. - -We classify confirmed vulnerabilities across four severity tiers: - -- **Critical** — Remote, practically exploitable defects in default configurations -- **High** — Serious defects with realistic exploitability -- **Medium** — Defects with meaningful impact under favorable conditions -- **Low** — Defects requiring specialized configurations or narrow deployment scenarios - -Reporter-proposed severity is input to the process, not its conclusion. - -## What Is Not Considered a Vulnerability - -Some defects are typically addressed as bug fixes rather than CVE-eligible vulnerabilities. These include: - -- Issues requiring physical access, physical-level side channels, or fault injection -- Issues the attacker can reach only with capabilities that already grant the outcome -- Issues reachable only through unsupported or undocumented API use -- Issues without a working reproducer -- Availability impact outside narrow protocol-facing cases - -wolfSSL determines whether a finding meets the CVE threshold. Findings below the threshold are addressed through normal release channels where appropriate; dispositions may be revisited when new information warrants. - -## Out of Scope - -- Third-party libraries bundled by customers -- Non-library code (example programs, test harnesses, developer tools) -- Documentation errors -- Performance issues without security implications - -## Supported Versions - -Security fixes are released for the current stable release and the immediately prior stable release. Older releases receive security fixes only under active commercial support agreements. - -## Coordinated Disclosure - -We investigate and fix confirmed vulnerabilities privately, coordinate disclosure timing with the reporter, and release the fix and security advisory together. Embargo extensions for ecosystem coordination — downstream integrators, certification bodies, or equivalent — are considered case-by-case. CVE records are published consistent with CVE Program rules. - -## Credit - -Reporters are credited in the advisory and release notes unless anonymity is requested. Reports are welcome from independent security researchers, academic researchers, and organizations conducting authorized security testing. - -Credit text is coordinated with the reporter before publication. - -## Contact - -- **support@wolfssl.com** — security vulnerability reports and general support -- **info@wolfssl.com** — general inquiries - -Published CVE advisories: https://www.wolfssl.com/docs/security-vulnerabilities/ - -## Policy Changes - -Material changes to this policy are announced via the wolfSSL blog. The canonical version of this policy is maintained in the wolfSSL GitHub repository. - -*Last updated: 2026-04-22* From fe70129a89c80005317b3a8e589495c8655eaa4c Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Mon, 1 Jun 2026 17:58:51 -0700 Subject: [PATCH 2/3] docs: use canonical secure@wolfssl.com for security reports Per Chris Conlon, secure@ is the existing alias for inbound security reports. support@ is the general support inbox. Aligns with the canonical /.well-known/security.txt and vulnerability-disclosure-policy.txt. --- .github/SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 4965a9d9c2d..bba9a509faa 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,7 +2,7 @@ ## Reporting a Vulnerability -Report security vulnerabilities to **support@wolfssl.com** or call **+1-425-245-8247**. +Report security vulnerabilities to **secure@wolfssl.com** or call **+1-425-245-8247**. Reports may be encrypted with our PGP key: @@ -21,4 +21,4 @@ published at: For CVE consideration, submit a completed [vulnerability report template](../SECURITY-REPORT-TEMPLATE.md) to -**support@wolfssl.com**. +**secure@wolfssl.com**. From 66fe1175382f11d5cfddfb4213b5eda357d87acf Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 9 Jul 2026 12:39:30 -0700 Subject: [PATCH 3/3] docs: keep in-repo security policy, fix contacts Address review feedback (dgarske): - Restore SECURITY-POLICY.md instead of deleting it. The full policy (severity rubric, scope, coordinated disclosure, credit) stays in-repo; the canonical website URL is now presented as a mirror of it, not a replacement, so other repos can still reference one copy. - SECURITY.md: prefer support@wolfssl.com, offer secure@wolfssl.com with the PGP key as an option, and drop the phone number. - Restore the mandatory report-template requirement and the "keep the vulnerability private until a fix is released" guidance, resolving the contradiction between the intro and the template section. --- .github/SECURITY.md | 27 +++++++++-------- SECURITY-POLICY.md | 74 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 12 deletions(-) create mode 100644 SECURITY-POLICY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md index bba9a509faa..85b059eac4a 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,23 +2,26 @@ ## Reporting a Vulnerability -Report security vulnerabilities to **secure@wolfssl.com** or call **+1-425-245-8247**. +**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security +reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), +with every required field completed. Reports that do not use the template, or +that leave required fields incomplete, will not receive CVE consideration. -Reports may be encrypted with our PGP key: +Submit the completed template to **support@wolfssl.com**. You may also send it to +**secure@wolfssl.com** and encrypt it with our PGP key: Fingerprint: A2A4 8E7B CB96 C5BE CB98 7314 EBC8 0E41 5CA2 9677 Key server: keys.openpgp.org -## Full Policy - -Our coordinated vulnerability disclosure policy — including scope, threat-model -boundaries, response commitments, and EU Cyber Resilience Act obligations — is -published at: +Non-template submissions may still be reviewed on the merits and, where +appropriate, addressed as hardening fixes in a future release. - https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt +**Please keep the vulnerability private** until a fix has been released. -## Report Template +## Full Policy -For CVE consideration, submit a completed -[vulnerability report template](../SECURITY-REPORT-TEMPLATE.md) to -**secure@wolfssl.com**. +For the full policy — severity rubric, scope, coordinated-disclosure practice, +and reporter credit — see [`SECURITY-POLICY.md`](../SECURITY-POLICY.md). The same +policy is also published at + so that +other wolfSSL repositories can reference one canonical copy. diff --git a/SECURITY-POLICY.md b/SECURITY-POLICY.md new file mode 100644 index 00000000000..8f5c989ca67 --- /dev/null +++ b/SECURITY-POLICY.md @@ -0,0 +1,74 @@ +# wolfSSL Security Policy + +## About This Policy + +This document defines how wolfSSL Inc. handles security vulnerabilities in its products: how to report them, how we evaluate them, and how we coordinate disclosure. + +## Reporting a Vulnerability + +**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must be submitted using [`SECURITY-REPORT-TEMPLATE.md`](SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration. + +Submit the completed template to **support@wolfssl.com**. + +Non-template submissions may still be reviewed on the merits and, where appropriate, addressed as hardening fixes in a future release. CVE assignment requires a complete template. + +We aim to acknowledge reports as they come in and engage with reporters throughout triage. Investigations proceed at the pace the material requires. + +## What wolfSSL Treats as a Vulnerability + +wolfSSL files a CVE advisory for defects with meaningful security impact on realistic wolfSSL deployments, where exploitability is demonstrated or clearly analyzable. wolfSSL determines whether a finding meets this bar. + +We classify confirmed vulnerabilities across four severity tiers: + +- **Critical** — Remote, practically exploitable defects in default configurations +- **High** — Serious defects with realistic exploitability +- **Medium** — Defects with meaningful impact under favorable conditions +- **Low** — Defects requiring specialized configurations or narrow deployment scenarios + +Reporter-proposed severity is input to the process, not its conclusion. + +## What Is Not Considered a Vulnerability + +Some defects are typically addressed as bug fixes rather than CVE-eligible vulnerabilities. These include: + +- Issues requiring physical access, physical-level side channels, or fault injection +- Issues the attacker can reach only with capabilities that already grant the outcome +- Issues reachable only through unsupported or undocumented API use +- Issues without a working reproducer +- Availability impact outside narrow protocol-facing cases + +wolfSSL determines whether a finding meets the CVE threshold. Findings below the threshold are addressed through normal release channels where appropriate; dispositions may be revisited when new information warrants. + +## Out of Scope + +- Third-party libraries bundled by customers +- Non-library code (example programs, test harnesses, developer tools) +- Documentation errors +- Performance issues without security implications + +## Supported Versions + +Security fixes are released for the current stable release and the immediately prior stable release. Older releases receive security fixes only under active commercial support agreements. + +## Coordinated Disclosure + +We investigate and fix confirmed vulnerabilities privately, coordinate disclosure timing with the reporter, and release the fix and security advisory together. Embargo extensions for ecosystem coordination — downstream integrators, certification bodies, or equivalent — are considered case-by-case. CVE records are published consistent with CVE Program rules. + +## Credit + +Reporters are credited in the advisory and release notes unless anonymity is requested. Reports are welcome from independent security researchers, academic researchers, and organizations conducting authorized security testing. + +Credit text is coordinated with the reporter before publication. + +## Contact + +- **support@wolfssl.com** — security vulnerability reports and general support +- **info@wolfssl.com** — general inquiries + +Published CVE advisories: https://www.wolfssl.com/docs/security-vulnerabilities/ + +## Policy Changes + +Material changes to this policy are announced via the wolfSSL blog. The canonical version of this policy is maintained in the wolfSSL GitHub repository. + +*Last updated: 2026-04-22*