qubes-doc/project-security/security.md

---
lang: en
layout: doc
permalink: /security/
redirect_from:
- /en/security/
- /en/doc/security/
- /en/doc/qubes-security/
- /doc/QubesSecurity/
- /wiki/QubesSecurity/
- /en/doc/security-page/
- /doc/SecurityPage/
- /wiki/SecurityPage/
- /trac/wiki/SecurityPage/
ref: 217
title: Security
---

# Qubes OS Project Security Center

- [Security FAQ]
- [Security Goals]
- [Security Pack]
- [Security Bulletins]
- [Canaries]
- [Xen Security Advisory (XSA) Tracker]
- [Why and How to Verify Signatures]
- [PGP Keys]

## Reporting Security Issues in Qubes OS

If you believe you have found a security issue affecting Qubes OS, either directly or indirectly (e.g. the issue affects Xen in a configuration that is used in Qubes OS), then we would be more than happy to hear from you!
We promise to treat any reported issue seriously and, if the investigation confirms that it affects Qubes, to patch it within a reasonable time and release a public [Qubes Security Bulletin][Security Bulletins] that describes the issue, discusses the potential impact of the vulnerability, references applicable patches or workarounds, and credits the discoverer.

## Security Updates

Qubes security updates are obtained by [Updating Qubes OS].

## The Qubes Security Team

The Qubes Security Team (QST) is the subset of the [Qubes Team] that is responsible for ensuring the security of Qubes OS and the Qubes OS Project.
In particular, the QST is responsible for:

- Responding to [reported security issues]
- Evaluating whether [XSAs][Xen Security Advisory (XSA) Tracker] affect the security of Qubes OS
- Writing, applying, and/or distributing security patches to fix vulnerabilities in Qubes OS
- Writing, signing, and publishing [Security Bulletins]
- Writing, signing, and publishing [Canaries]
- Generating, safeguarding, and using the project's [PGP Keys]

As a security-oriented operating system, the QST is fundamentally important to Qubes, and every Qubes user implicitly trusts the members of the QST by virtue of the actions listed above.
The Qubes Security Team can be contacted via email at the following address:

```
security at qubes-os dot org
```

### Security Team PGP Key

Please use the [Security Team PGP Key] to encrypt all emails sent to this address.
This key is signed by the [Qubes Master Signing Key].
Please see [Why and How to Verify Signatures] for information about how to verify these keys.

### Members of the Security Team

- [Marek Marczykowski-Górecki]
- [Simon Gaiser (aka HW42)]
- [Joanna Rutkowska] ([emeritus, canaries only])

[Security FAQ]: /faq/#general--security
[Security Goals]: /security/goals/
[Security Pack]: /security/pack/
[Security Bulletins]: /security/bulletins/
[Canaries]: /security/canaries/
[Xen Security Advisory (XSA) Tracker]: /security/xsa/
[Why and How to Verify Signatures]: /security/verifying-signatures/
[PGP Keys]: https://keys.qubes-os.org/keys/
[Qubes Team]: /team/
[reported security issues]: #reporting-security-issues-in-qubes-os
[Security Team PGP Key]: https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc
[Qubes Master Signing Key]: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
[Marek Marczykowski-Górecki]: /team/#marek-marczykowski-górecki
[Simon Gaiser (aka HW42)]: /team/#simon-gaiser-aka-hw42
[Joanna Rutkowska]: /team/#joanna-rutkowska
[emeritus, canaries only]: /news/2018/11/05/qubes-security-team-update/
[Updating Qubes OS]: /doc/updating-qubes-os/
Reorganize security info pages 2017-03-18 22:31:12 -04:00			`---`
Add lang + ref tags to frontmatter Those are fields used by the language switcher to correlate pages across different languages, even if they have different names/paths/titles. They are generated with the prepare_for_translation.py script. 2021-03-13 13:06:18 -05:00			`lang: en`
Use default doc layout for project security docs 2019-05-26 21:04:23 -04:00			`layout: doc`
Reorganize security info pages 2017-03-18 22:31:12 -04:00			`permalink: /security/`
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`redirect_from:`
Reorganize security info pages 2017-03-18 22:31:12 -04:00			`- /en/security/`
			`- /en/doc/security/`
			`- /en/doc/qubes-security/`
			`- /doc/QubesSecurity/`
			`- /wiki/QubesSecurity/`
			`- /en/doc/security-page/`
			`- /doc/SecurityPage/`
			`- /wiki/SecurityPage/`
			`- /trac/wiki/SecurityPage/`
Add lang + ref tags to frontmatter Those are fields used by the language switcher to correlate pages across different languages, even if they have different names/paths/titles. They are generated with the prepare_for_translation.py script. 2021-03-13 13:06:18 -05:00			`ref: 217`
Normalize frontmatter - sort keys - remove permalink from redirects 2021-03-13 12:42:50 -05:00			`title: Security`
Reorganize security info pages 2017-03-18 22:31:12 -04:00			`---`

Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`# Qubes OS Project Security Center`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00			`- [Security FAQ]`
			`- [Security Goals]`
			`- [Security Pack]`
			`- [Security Bulletins]`
			`- [Canaries]`
			`- [Xen Security Advisory (XSA) Tracker]`
			`- [Why and How to Verify Signatures]`
			`- [PGP Keys]`

Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`## Reporting Security Issues in Qubes OS`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Update security.md 2017-04-17 20:18:46 -04:00			`If you believe you have found a security issue affecting Qubes OS, either directly or indirectly (e.g. the issue affects Xen in a configuration that is used in Qubes OS), then we would be more than happy to hear from you!`
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00			`We promise to treat any reported issue seriously and, if the investigation confirms that it affects Qubes, to patch it within a reasonable time and release a public [Qubes Security Bulletin][Security Bulletins] that describes the issue, discusses the potential impact of the vulnerability, references applicable patches or workarounds, and credits the discoverer.`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`## Security Updates`
Add section on security updates 2019-08-26 20:39:40 -04:00
			`Qubes security updates are obtained by [Updating Qubes OS].`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`## The Qubes Security Team`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Update Security page - Add Qubes Security Team (QST) description - Add Simon as QST member - Add "(emeritus, canaries only)" with link next to Joanna's name; move to bottom 2018-11-05 21:21:43 -05:00			`The Qubes Security Team (QST) is the subset of the [Qubes Team] that is responsible for ensuring the security of Qubes OS and the Qubes OS Project.`
			`In particular, the QST is responsible for:`

Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`- Responding to [reported security issues]`
			`- Evaluating whether [XSAs][Xen Security Advisory (XSA) Tracker] affect the security of Qubes OS`
			`- Writing, applying, and/or distributing security patches to fix vulnerabilities in Qubes OS`
			`- Writing, signing, and publishing [Security Bulletins]`
			`- Writing, signing, and publishing [Canaries]`
			`- Generating, safeguarding, and using the project's [PGP Keys]`
Update Security page - Add Qubes Security Team (QST) description - Add Simon as QST member - Add "(emeritus, canaries only)" with link next to Joanna's name; move to bottom 2018-11-05 21:21:43 -05:00
			`As a security-oriented operating system, the QST is fundamentally important to Qubes, and every Qubes user implicitly trusts the members of the QST by virtue of the actions listed above.`
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00			`The Qubes Security Team can be contacted via email at the following address:`

Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			```
			`security at qubes-os dot org`
			```
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`### Security Team PGP Key`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00			`Please use the [Security Team PGP Key] to encrypt all emails sent to this address.`
			`This key is signed by the [Qubes Master Signing Key].`
			`Please see [Why and How to Verify Signatures] for information about how to verify these keys.`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`### Members of the Security Team`
Reorganize security info pages 2017-03-18 22:31:12 -04:00
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00			`- [Marek Marczykowski-Górecki]`
Update Security page - Add Qubes Security Team (QST) description - Add Simon as QST member - Add "(emeritus, canaries only)" with link next to Joanna's name; move to bottom 2018-11-05 21:21:43 -05:00			`- [Simon Gaiser (aka HW42)]`
			`- [Joanna Rutkowska] ([emeritus, canaries only])`
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00
			`[Security FAQ]: /faq/#general--security`
			`[Security Goals]: /security/goals/`
			`[Security Pack]: /security/pack/`
			`[Security Bulletins]: /security/bulletins/`
			`[Canaries]: /security/canaries/`
			`[Xen Security Advisory (XSA) Tracker]: /security/xsa/`
			`[Why and How to Verify Signatures]: /security/verifying-signatures/`
			`[PGP Keys]: https://keys.qubes-os.org/keys/`
Update Security page - Add Qubes Security Team (QST) description - Add Simon as QST member - Add "(emeritus, canaries only)" with link next to Joanna's name; move to bottom 2018-11-05 21:21:43 -05:00			`[Qubes Team]: /team/`
			`[reported security issues]: #reporting-security-issues-in-qubes-os`
Clarify language, improve links, and clean up source 2018-01-31 23:40:01 -05:00			`[Security Team PGP Key]: https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc`
			`[Qubes Master Signing Key]: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc`
			`[Marek Marczykowski-Górecki]: /team/#marek-marczykowski-górecki`
Update Security page - Add Qubes Security Team (QST) description - Add Simon as QST member - Add "(emeritus, canaries only)" with link next to Joanna's name; move to bottom 2018-11-05 21:21:43 -05:00			`[Simon Gaiser (aka HW42)]: /team/#simon-gaiser-aka-hw42`
			`[Joanna Rutkowska]: /team/#joanna-rutkowska`
Fix link 2018-11-05 21:34:21 -05:00			`[emeritus, canaries only]: /news/2018/11/05/qubes-security-team-update/`
Add section on security updates 2019-08-26 20:39:40 -04:00			`[Updating Qubes OS]: /doc/updating-qubes-os/`