2017-03-18 22:31:12 -04:00
|
|
|
---
|
2021-03-13 13:06:18 -05:00
|
|
|
lang: en
|
2019-05-26 21:04:23 -04:00
|
|
|
layout: doc
|
2021-06-16 22:56:25 -04:00
|
|
|
permalink: /security/
|
2021-03-13 12:03:23 -05:00
|
|
|
redirect_from:
|
2017-03-18 22:31:12 -04:00
|
|
|
- /en/security/
|
|
|
|
- /en/doc/security/
|
|
|
|
- /en/doc/qubes-security/
|
|
|
|
- /doc/QubesSecurity/
|
|
|
|
- /wiki/QubesSecurity/
|
|
|
|
- /en/doc/security-page/
|
|
|
|
- /doc/SecurityPage/
|
|
|
|
- /wiki/SecurityPage/
|
|
|
|
- /trac/wiki/SecurityPage/
|
2021-03-13 13:06:18 -05:00
|
|
|
ref: 217
|
2021-07-09 08:10:44 -04:00
|
|
|
title: Qubes OS project security center
|
2017-03-18 22:31:12 -04:00
|
|
|
---
|
|
|
|
|
2021-06-18 09:25:06 -04:00
|
|
|
This page provides a central hub for topics pertaining to the security of the
|
|
|
|
Qubes OS Project. For topics pertaining to software security *within* Qubes OS,
|
2021-08-07 08:24:55 -04:00
|
|
|
see [security in Qubes](/doc/#security-in-qubes). The following is a list of
|
2021-06-18 09:25:06 -04:00
|
|
|
important project security pages:
|
2021-06-15 01:07:36 -04:00
|
|
|
|
2021-08-07 08:24:55 -04:00
|
|
|
- [Qubes security pack (qubes-secpack)](/security/pack/)
|
|
|
|
- [Qubes security bulletins (QSBs)](/security/qsb/)
|
|
|
|
- [Qubes canaries](/security/canary/)
|
|
|
|
- [Xen security advisory (XSA) tracker](/security/xsa/)
|
2021-06-15 01:07:36 -04:00
|
|
|
- [Verifying signatures](/security/verifying-signatures/)
|
|
|
|
- [PGP keys](https://keys.qubes-os.org/keys/)
|
|
|
|
- [Security FAQ](/faq/#general--security)
|
2018-01-31 23:40:01 -05:00
|
|
|
|
2021-08-07 07:46:17 -04:00
|
|
|
## Reporting security issues in Qubes OS
|
2017-03-18 22:31:12 -04:00
|
|
|
|
2021-08-07 07:06:16 -04:00
|
|
|
<div class="alert alert-warning" role="alert">
|
|
|
|
<i class="fa fa-exclamation-circle"></i>
|
|
|
|
<b>Please note:</b> The Qubes security team email address is intended for
|
|
|
|
<b>responsible disclosure</b> by security researchers and others who discover
|
|
|
|
legitimate security vulnerabilities. It is <b>not</b> intended for everyone
|
|
|
|
who suspects they've been hacked. Please <b>do not</b> attempt to contact the
|
|
|
|
Qubes security team unless you can <b>demonstrate</b> an actual security
|
|
|
|
vulnerability or unless the team will be able to take reasonable steps to
|
|
|
|
verify your claims.
|
|
|
|
</div>
|
|
|
|
|
|
|
|
If you've discovered a security issue affecting Qubes OS, either directly or
|
|
|
|
indirectly (e.g., the issue affects Xen in a configuration that is used in
|
|
|
|
Qubes OS), then we would be more than happy to hear from you! We promise to
|
|
|
|
take all reported issues seriously. If our investigation confirms that an issue
|
|
|
|
affects Qubes, we will patch it within a reasonable time and release a public
|
2021-08-07 07:46:17 -04:00
|
|
|
[Qubes security bulletin (QSB)](/security/qsb/) that describes the issue,
|
2021-08-07 07:06:16 -04:00
|
|
|
discusses the potential impact of the vulnerability, references applicable
|
|
|
|
patches or workarounds, and credits the discoverer. Please use the [Qubes
|
|
|
|
security team PGP
|
|
|
|
key](https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc) to encrypt
|
|
|
|
your email to this address:
|
|
|
|
|
|
|
|
```
|
|
|
|
security at qubes-os dot org
|
|
|
|
```
|
|
|
|
|
|
|
|
This key is signed by the [Qubes Master Signing
|
|
|
|
Key](https://keys.qubes-os.org/keys/qubes-master-signing-key.asc). Please see
|
2021-08-07 07:46:17 -04:00
|
|
|
[verifying signatures](/security/verifying-signatures/) for information about
|
|
|
|
how to authenticate these keys.
|
2017-03-18 22:31:12 -04:00
|
|
|
|
2021-08-07 07:46:17 -04:00
|
|
|
## Security updates
|
2019-08-26 20:39:40 -04:00
|
|
|
|
2021-06-21 00:54:36 -04:00
|
|
|
Qubes security updates are obtained by [updating Qubes
|
|
|
|
OS](/doc/how-to-update/).
|
2017-03-18 22:31:12 -04:00
|
|
|
|
2021-08-07 07:46:17 -04:00
|
|
|
## Qubes security team
|
2017-03-18 22:31:12 -04:00
|
|
|
|
2021-08-07 07:46:17 -04:00
|
|
|
The **Qubes security team (QST)** is the subset of the [core
|
|
|
|
team](/team/#core-team) that is responsible for ensuring the security of Qubes
|
|
|
|
OS and the Qubes OS Project. In particular, the QST is responsible for:
|
2018-11-05 21:21:43 -05:00
|
|
|
|
2021-06-18 09:25:06 -04:00
|
|
|
- Responding to [reported security
|
|
|
|
issues](#reporting-security-issues-in-qubes-os)
|
2021-04-10 18:09:05 -04:00
|
|
|
- Evaluating whether [XSAs](/security/xsa/) affect the security of Qubes OS
|
2021-06-18 09:25:06 -04:00
|
|
|
- Writing, applying, and/or distributing security patches to fix
|
|
|
|
vulnerabilities in Qubes OS
|
2021-08-07 07:46:17 -04:00
|
|
|
- Writing, signing, and publishing [Qubes security bulletins
|
2021-06-24 08:35:40 -04:00
|
|
|
(QSBs)](/security/qsb/)
|
2021-08-07 07:46:17 -04:00
|
|
|
- Writing, signing, and publishing [Qubes canaries](/security/canary/)
|
2021-06-18 09:25:06 -04:00
|
|
|
- Generating, safeguarding, and using the project's [PGP
|
2021-06-24 08:35:40 -04:00
|
|
|
keys](https://keys.qubes-os.org/keys/)
|
2018-11-05 21:21:43 -05:00
|
|
|
|
2021-06-18 09:25:06 -04:00
|
|
|
As a security-oriented operating system, the QST is fundamentally important to
|
|
|
|
Qubes, and every Qubes user implicitly trusts the members of the QST by virtue
|
2021-08-07 07:06:16 -04:00
|
|
|
of the actions listed above.
|
2017-03-18 22:31:12 -04:00
|
|
|
|
2021-08-07 07:46:17 -04:00
|
|
|
### Members of the security team
|
2017-03-18 22:31:12 -04:00
|
|
|
|
2021-04-10 18:09:05 -04:00
|
|
|
- [Marek Marczykowski-Górecki](/team/#marek-marczykowski-górecki)
|
|
|
|
- [Simon Gaiser (aka HW42)](/team/#simon-gaiser-aka-hw42)
|
|
|
|
- [Joanna Rutkowska](/team/#joanna-rutkowska) ([emeritus, canaries only](/news/2018/11/05/qubes-security-team-update/))
|