This affects common configurations and which are also likely to be exploitable. We use the following severity categories: We will determine the risk of each issue, taking into account our experience dealing with past issues, versions affected, common defaults, and use cases. The existence of a previous CVE does not override this policy going forward. Prior to the threat model being included in this policy, CVEs were sometimes issued for these classes of attacks. We are working towards making the same physical system side channel attacks very hard. Mitigations for security issues outside of our threat scope may still be addressed, however we do not class these as OpenSSL vulnerabilities and will therefore not issue CVEs for any mitigations to address these issues. physical observation side channels (e.g. power consumption, EM emissions, etc). ![]() Accordingly, we do not consider OpenSSL secure against the following classes of attacks: Threat ModelĬertain threats are currently considered outside of the scope of the OpenSSL threat model. We may work in private with individuals who are not on the OMC or OTC as well as other organisations and our employers where we believe this can help with the issue investigation, resolution, or testing. We engage resources within OpenSSL to start the investigation and prioritisation. Notifications are received by the OMC and OTC. If you wish to report a possible security issue in OpenSSL please notify us. Security Policy Reporting security issues
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |