The development team behind the OpenSSL open-source encryption toolkit has released its first official security policy, laying out its internal security protocols and plans to pre-notify organizations implementing OpenSSL about impending updates and security fixes.
The OpenSSL pre-notification policy will allow notices to be sent out over the OpenSSL mailing list and on the homepage with the release schedule of any update as well as the severity of whatever issues are being fixed. For issues designated as “high severity,” additional details about patches will be sent out. The team will not, however, allow advance notice in marketing as a competitive advantage, or for notice to be based on any paid membership.
“Our policy is to let the organizations that have a general-purpose OS that uses OpenSSL have a few days’ notice in order to prepare packages for their users and feedback test results,” the policy stated.
(Related: OpenSSL’s project road map)
OpenSSL security issues will now be classified into three categories, which designate both how the issue is treated internally as well as whether it remains private or is made public with advance notice to distributions. The categories are:
• Low-severity issues include things that only affect the OpenSSL command-line utility, unlikely configurations, or hard-to-exploit timing attacks. These will in general be fixed immediately in the latest development versions, and may be backported to older versions that are still getting updates. The OpenSSL team will update the vulnerabilities page and note the issue CVE in the changelog and commit message, but they may not trigger new releases.
• Moderate-severity issues include things like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. Generally kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.
• High-severity issues include things affecting common configurations that are also likely to be exploitable. Examples include a server denial-of-service attack, a significant leak of server memory, and remote code execution. The team promised to keep private high-severity issues to a minimum, disclosing them within a month when they view the security risk as “under their control,” or sooner if there is a “significant” risk of an issue being exploited.
OpenSSL’s security policy was informed by research done by the team, laid out in the announcement along with the new protocols. Among the key findings of OpenSSL’s internal review were that the more people were told in advance of security issues, the higher the likelihood of a leak. The team also concluded that OpenSSL can benefit from peer review of patches to fix things quickly, and that OpenSSL is used in a far wider range of products than websites, including smart devices such as TVs, cars and home appliances.
The current OpenSSL mailing list includes distributions such as Android, Chrome OS, Debian, FreeBSD, Oracle, Red Hat, Ubuntu and others.
More information about OpenSSL’s security policy can be found in the official announcement.