GnuPG - Security

GnuPG - Security
Security
The GnuPG Project takes the security of software it develops very
seriously. In general we prefer a
full disclosure
approach and all
bugs listed in our
bug tracker
as well as code changes in our
software
repository
are public. Given that GnuPG is an important part of many
software distributions and severe bugs in GnuPG would affect their
users directly, we co-ordinate with them in private as soon as we
learn about a severe vulnerability.
Sometimes we receive pre-notifications of research which may lead to a
new kind of vulnerability. In these cases we may work with the
researchers in private on a solution and co-ordinate our fix release
with them.
Threat Model of libgcrypt
Libgcrypt has been developed for use in a wide variety of platforms
with different security needs. Some platforms exhibit fine-grained
side channels which can be used to spy on processes running in other
containers or virtual machines. Although Libgcrypt implements many
countermeasures against such side-channels attacks, it is not possible
to avoid all of them. In the worst case it is thus possible to leak
the entire private key or a password to a malicious process running in
another virtual machine on the same hardware.
Those hardware related threats are out of scope in Libgcrypt's threat
model. It is up to users not to offer any access to those
side-channels.
Security contact
If you found a
severe
security problem and you do not want to
publish it, please report it by mail to security at gnupg.org. We
prefer reports in plain text format; if needed we can also work with
PDF files. For security reasons we won't read any other complex data
formats (e.g. docx or odt).
Note that we do not use a team OpenPGP key. Thus please write a
non-encrypted message to the security address and ask for the keys of
the developers at duty and then encrypt the mail to all of them. A
list of our core developers can be found
here
; they are all active on
the gnupg-devel mailing list.
Imprint
Archive
Blog
Files
These web pages are
Copyright 1998--2020 The GnuPG Project and licensed under a
Creative Commons Attribution-ShareAlike 3.0 Unported License
. See
copying
for details.
Page
source
last changed on 2024-02-05.