diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2025-10-03 12:52:11 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2025-10-03 15:16:45 +0200 |
| commit | 2d5bbb21f8531f0e180b3469912e32e3162bfc12 (patch) | |
| tree | 90b881fb64434246c958afe14c41c10f802aff94 | |
| parent | 995a7a888d62241c69d271ce68ea4eb3630b036e (diff) | |
| download | mullvadvpn-2d5bbb21f8531f0e180b3469912e32e3162bfc12.tar.xz mullvadvpn-2d5bbb21f8531f0e180b3469912e32e3162bfc12.zip | |
Add a SECURITY.md security policy
| -rw-r--r-- | SECURITY.md | 29 | ||||
| -rw-r--r-- | docs/security.md | 7 |
2 files changed, 34 insertions, 2 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..bb15cf746e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,29 @@ +# Repository security policy + +Mullvad takes the security of our VPN app seriously. We perform third party security audits of the +entire app every second year. We also do smaller more specialized audits for certain features. +You can read more about these audits in the [audits directory](audits/README.md). + +## Reporting security vulnerabilities + +We welcome security researchers, customers or anyone else to scrutinize the source code of our +products and report any issues they find to us. We ask you to carry out responsible +research and disclosure. This includes, but is not limited to refraining from: + +* Denial of service attacks against API endpoints used by the app +* Trying to disrupt the Mullvad VPN service +* Publicly disclosing vulnerabilities before reporting them to us in private. + +Before reporting issues, we recommend that you read the following documents: +* [docs/security.md] - Explaining various expected security properties of the app +* [known issues] - Listing already known issues in the app. + +**Please do not report security vulnerabilities through GitHub issues or other +public channels.** Instead please [create a vulnerability report on Github]. Or email our +support on [support@mullvadvpn.net]. Preferrably encrypted with our [support's PGP] key. + +[create a vulnerability report on Github]: https://github.com/mullvad/mullvadvpn-app/security/advisories/new +[support@mullvadvpn.net]: mailto:support@mullvadvpn.net +[support's PGP]: https://mullvad.net/static/gpg/mullvadvpn-support-mail.asc +[known issues]: docs/known-issues.md +[docs/security.md]: docs/security.md diff --git a/docs/security.md b/docs/security.md index 9f1f878822..26c7aa748a 100644 --- a/docs/security.md +++ b/docs/security.md @@ -1,7 +1,10 @@ # Mullvad VPN app security -This document describes the security properties of the Mullvad VPN app. It describes it for all -platforms and their differences. Individual platforms might have slightly different properties and +This document describes the security properties of the Mullvad VPN app. +For the security policy on this code repository, see [SECURITY.md](../SECURITY.md). + +This document describes the security for all platforms, and their differences. +Individual platforms might have slightly different properties and allow or block network traffic a bit differently, but all such deviations are described here. This document does not describe in detail *how* we reach and uphold these properties, just what |