Tier 1 targets can be thought of as "guaranteed to work". The CI system builds and tests binary versions for each tier 1 target to make sure any change does not negatively affect those platforms. Platform-specific build documentation must exist. Tier 1 targets marked with a dagger (†) are additionally tested for constant-time behaviour. The CI system contains automated constant-time testing for each of these starred targets, and all failures are documented in the `tests/constant_time` directory. IMPORTANT: This does not mean that constant-time behaviour is guaranteed on these targets, or that non-constant-time behaviour is limited to documented exceptions. It does, however, mean that `liboqs` developers should track constant-time issues on these platforms.
+Tier 1 platforms are also prioritized for security support, as per the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md).
+
### Tier 2
Tier 2 targets can be thought of as "guaranteed to build". The `liboqs` CI system contains builds for each tier 2 target; testing may or may not be available (typically depending on CI system platform availability). Therefore, tier 2 targets often work to quite a good degree and patches are always welcome! Tier 2 targets may also have known deficiencies caused by a lack of expertise to fix those on a given platform. Again, help and PRs to move platforms from tier 2 to tier 1 are always welcome.
**WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS LIBRARY IN A PRODUCTION ENVIRONMENT OR TO PROTECT ANY SENSITIVE DATA.** This library is meant to help with research and prototyping. While we make a best-effort approach to avoid security bugs, this library has not received the level of auditing and analysis that would be necessary to rely on it for high security use.
+Please see [SECURITY.md](SECURITY.md#security-policy) for details on how to report a vulnerability and the OQS vulnerability response process.
+
#### Platform limitations
In order to optimize support effort,
We only support the most recent release.
-Using any code prior to 0.10.1 is strongly discouraged due to a [known security vulnerability in Kyber](https://github.com/open-quantum-safe/liboqs/releases/tag/0.10.1).
+Using any code prior to 0.12.0 is strongly discouraged due to a [known security vulnerability in HQC](https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7).
| Version | Supported |
| ------- | ------------------ |
Mitigations for security issues outside the stated threat model may still be applied depending on the nature of the issue and the mitigation.
(Based in part on https://openssl-library.org/policies/general/security-policy/index.html)
+
+## Security Response Process
+
+Security reports for liboqs will be handled in accordance with the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md).
src/sig_stfl/sig_stfl.h \
README.md \
CONFIGURE.md \
+ SECURITY.md \
CONTRIBUTORS
# This tag can be used to specify the character encoding of the source files
fi
# Doxygen can't handle Github Markdown so we temporarily reformat it
-cp README.md README.md-orig
-python3 scripts/doxyfy.py README.md-orig README.md
-cp CONFIGURE.md CONFIGURE.md-orig
-python3 scripts/doxyfy.py CONFIGURE.md-orig CONFIGURE.md
+for file in README.md CONFIGURE.md SECURITY.md
+do
+ cp $file $file-orig
+ python3 scripts/doxyfy.py $file-orig $file
+done
# run doxygen:
mkdir -p "$3/docs"
EXITCODE=$?
# undo the Github Markdown reformatting
-mv README.md-orig README.md
-mv CONFIGURE.md-orig CONFIGURE.md
+for file in README.md CONFIGURE.md SECURITY.md
+do
+ mv $file-orig $file
+done
-exit ${EXITCODE}
\ No newline at end of file
+exit ${EXITCODE}
projects / 0xmirror / liboqs.git / commitdiff