sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-10-03 00:02:36 -04:00
Code Issues Projects Releases Wiki Activity
liboqs/SECURITY.md
Spencer Wilson b5d3dac4eb
liboqs 0.14.0 release candidate 1 (#2180) 
* Prepare 0.14.0 release candidate 1 [full tests] [extended tests]

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

* Update release notes with deprecation and security info [skip ci]

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

---------

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
2025-06-26 14:23:12 -04:00

2.5 KiB
Raw Blame History

Security Policy

Supported Versions

We only support the most recent release.

Using any code prior to 0.12.0 is strongly discouraged due to a known security vulnerability in HQC.

Version Supported
0.14.0
< 0.14

Reporting a Vulnerability

Please follow this information to report a vulnerability.

Threat Model

Some timing-based side-channel attacks are within the scope of our threat model. OQS tests for secret-dependent branches and memory accesses on Linux on x86_64. All test failures are documented as either "passes," which we have assessed to be false positives, or "issues," which may constitute nonconstant-time behaviour. The algorithm datasheets indicate whether or not an implementation passes our constant-time tests, as well as whether or not it is expected to pass. Details about passes and issues are available in the tests/constant_time directory. These tests do not encompass all classes of nonconstant-time behaviour; for example, they do not detect possible variable-time instructions, such as DIV. Reports of nonconstant-time behaviour that fall outside this scope will be considered on a case-by-case basis, with a priority on Tier 1 platforms.

The following types of attacks are outside the scope of our threat model:

  • same physical system side channel
  • CPU / hardware flaws
  • physical fault injection attacks (including Rowhammer-style attacks)
  • physical observation side channels (such as power consumption, electromagnetic emissions)

Mitigations for security issues outside the stated threat model may still be applied depending on the nature of the issue and the mitigation.

(Based in part on https://openssl-library.org/policies/general/security-policy/index.html)

Security Response Process

Security reports for liboqs will be handled in accordance with the OQS security response process. Please also see the general support disclaimer for liboqs.