How to report security related issues?

achim.kraus · November 13, 2023, 11:05am

Also just by accident I found a very minor “security issue”. I don’t see, how golioth wants to handle such issues.
The issue itself is pretty simple, if you use a wrong PSK identity, you get an alert with internal error. There are two point to mention:

that the wrong error code
according some research a while ago, the current common approach for a wrong PSK identity is to handle that as wrong “MAC” and with that, it results in a timeout of the handshake. The reason behind that is to make it harder for attackers. I personally don’t agree on that “common approach”, because that identity is sent in plain and so this protection doesn’t help, but too frequently you get asked about such things in audits and then it’s easier to comply with it.

hasheddan · November 13, 2023, 12:42pm

Hi @achim.kraus! Good to hear from you and thank you for reporting this issue. We’ll make sure to address promptly. Future security issues can be reported to [email protected]. We will also make sure to make the reporting process more prominently featured in our documentation.

Thanks!
Dan

hasheddan · November 17, 2023, 5:44pm

Following up here for future post viewers: Golioth’s vulnerability disclosure policy and reporting instructions can now be found at Vulnerability Disclosure Policy.