Skip to content

Security: fido-device-onboard/go-fdo

Security

SECURITY.md

Security Policy

The LF Edge FIDO Device Onboard (FDO) project is committed to addressing security vulnerabilities.

To report a potential security issue or vulnerability please email your report to the LF Edge FDO Security team.

When reporting, please provide as much of the following information as possible (also provided as a template in the above link):

Summary of Vulnerability Short description of the vulnerability
Description and Results Full description of the issue including any impacts to confidentiality, integrity, or availability as well as the expected and actual results
Affected Versions List of the potentially impacted versions
Steps to Replicate¹ Describe your execution environment and the steps to reproduce the issue, including any sample code to trigger the vulnerability
Common Vulnerability Scoring System (CVSS) Base Score CVSS score if known
CVSS Vector String CVSS vector if known
Known Disclosure Plans Any known disclosure plans and timelines

Encrypting Security Disclosures

If you wish to encrypt your report we recommend PGP using tools like GNU Privacy Guard.

The project's security team rotates PGP public keys, so please first send an email request for the security team's current PGP public key.

If you are having trouble encrypting your vulnerability report or have any questions about the process, please send a message to the go-fdo LF Edge FDO Security team. We’ll help identify a method for secure transmission of your report.

Non Security Bugs

Reporting of bugs is managed using this project's GitHub Issues.

Before reporting a new issue please first search the current open Issues and if you see a similar or matching issue, please comment in the issue with your findings¹.

If there are no related issues:

  1. From the Issues page, select New Issue
  2. In the Bug Report row select Get Started. This will open a new page with a bug report template.
  3. Fill in as much detail as possible following the prompts and examples in the template.

Testing

¹ Please consider helping the project by extending test coverage. Whether you are reporting a security vulnerability or bug, if you are able to provide a unit or integration test that reproduces the issue, your contribution will expedite a resolution and also protect from future regressions.

There aren’t any published security advisories