blob: bb15cf746e84a8c2988713acfffdf37db9134b61 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# Repository security policy
Mullvad takes the security of our VPN app seriously. We perform third party security audits of the
entire app every second year. We also do smaller more specialized audits for certain features.
You can read more about these audits in the [audits directory](audits/README.md).
## Reporting security vulnerabilities
We welcome security researchers, customers or anyone else to scrutinize the source code of our
products and report any issues they find to us. We ask you to carry out responsible
research and disclosure. This includes, but is not limited to refraining from:
* Denial of service attacks against API endpoints used by the app
* Trying to disrupt the Mullvad VPN service
* Publicly disclosing vulnerabilities before reporting them to us in private.
Before reporting issues, we recommend that you read the following documents:
* [docs/security.md] - Explaining various expected security properties of the app
* [known issues] - Listing already known issues in the app.
**Please do not report security vulnerabilities through GitHub issues or other
public channels.** Instead please [create a vulnerability report on Github]. Or email our
support on [support@mullvadvpn.net]. Preferrably encrypted with our [support's PGP] key.
[create a vulnerability report on Github]: https://github.com/mullvad/mullvadvpn-app/security/advisories/new
[support@mullvadvpn.net]: mailto:support@mullvadvpn.net
[support's PGP]: https://mullvad.net/static/gpg/mullvadvpn-support-mail.asc
[known issues]: docs/known-issues.md
[docs/security.md]: docs/security.md
|
