Security Policy

Reporting a Vulnerability

Please report any security-relevant flaw to security@strongswan.org. Whenever possible encrypt your email with the PGP key with key ID 0x1EB41ECF25A536E4.

Severity Classification

• High Severity Flaw

  • Allows remote access to the VPN with improper, missing, or invalid credentials
  • Allows local escalation of privileges on the server
  • Plain text traffic on the secure interface
  • Key generation and crypto flaws that reduce the difficulty in decrypting secure traffic

• Medium Severity Flaw

  • Remotely crashing the strongSwan daemon, which would allow DoS attacks on the VPN service

• Low Severity Flaw

  • All other minor issues not directly compromising security or availability of the strongSwan daemon or the host the daemon is running on

Action Taken

For high and medium severity vulnerabilities we are generally going to apply for a CVE Identifier first. Next we notify all known strongSwan customers and the major Linux distributions, giving them a time of about three weeks to patch their software release. On a predetermined date, we officially issue an advisory and a patch for the vulnerability and usually a new stable strongSwan release containing the security fix.

Minor vulnerabilities of low severity usually will be fixed immediately in our repository and released with the next stable release.

List of Reported and Fixed Security Flaws

A list of all reported strongSwan high and medium security flaws may be found in the CVE database.

The corresponding security patches are published on https://download.strongswan.org/security/.