mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
a18174dc5e
Thank you to @unman for the initial sentence case pass.
90 lines
3.5 KiB
Markdown
90 lines
3.5 KiB
Markdown
---
|
|
lang: en
|
|
layout: doc
|
|
permalink: /security/
|
|
redirect_from:
|
|
- /en/security/
|
|
- /en/doc/security/
|
|
- /en/doc/qubes-security/
|
|
- /doc/QubesSecurity/
|
|
- /wiki/QubesSecurity/
|
|
- /en/doc/security-page/
|
|
- /doc/SecurityPage/
|
|
- /wiki/SecurityPage/
|
|
- /trac/wiki/SecurityPage/
|
|
ref: 217
|
|
title: Qubes OS project security center
|
|
---
|
|
|
|
This page provides a central hub for topics pertaining to the security of the
|
|
Qubes OS Project. For topics pertaining to software security *within* Qubes OS,
|
|
see [Security in Qubes](/doc/#security-in-qubes). The following is a list of
|
|
important project security pages:
|
|
|
|
- [Qubes Security Pack (`qubes-secpack`)](/security/pack/)
|
|
- [Qubes Security Bulletins (QSBs)](/security/qsb/)
|
|
- [Qubes Canaries](/security/canary/)
|
|
- [Xen Security Advisory (XSA) Tracker](/security/xsa/)
|
|
- [Verifying signatures](/security/verifying-signatures/)
|
|
- [PGP keys](https://keys.qubes-os.org/keys/)
|
|
- [Security FAQ](/faq/#general--security)
|
|
|
|
## Reporting Security Issues in Qubes OS
|
|
|
|
If you believe you have found a security issue affecting Qubes OS, either
|
|
directly or indirectly (e.g., the issue affects Xen in a configuration that is
|
|
used in Qubes OS), then we would be more than happy to hear from you! Please
|
|
send a [PGP-encrypted](#security-team-pgp-key) email to the [Qubes Security
|
|
Team](#qubes-security-team). We promise to take all reported issues seriously.
|
|
If our investigation confirms that an issue affects Qubes, we will patch it
|
|
within a reasonable time and release a public [Qubes Security Bulletin
|
|
(QSB)](/security/qsb/) that describes the issue, discusses the potential impact
|
|
of the vulnerability, references applicable patches or workarounds, and credits
|
|
the discoverer.
|
|
|
|
## Security Updates
|
|
|
|
Qubes security updates are obtained by [updating Qubes
|
|
OS](/doc/how-to-update/).
|
|
|
|
## Qubes Security Team
|
|
|
|
The **Qubes Security Team (QST)** is the subset of the [Core Qubes
|
|
Team](/team/#core-team) that is responsible for ensuring the security of Qubes OS
|
|
and the Qubes OS Project. In particular, the QST is responsible for:
|
|
|
|
- Responding to [reported security
|
|
issues](#reporting-security-issues-in-qubes-os)
|
|
- Evaluating whether [XSAs](/security/xsa/) affect the security of Qubes OS
|
|
- Writing, applying, and/or distributing security patches to fix
|
|
vulnerabilities in Qubes OS
|
|
- Writing, signing, and publishing [Qubes Security Bulletins
|
|
(QSBs)](/security/qsb/)
|
|
- Writing, signing, and publishing [Qubes Canaries](/security/canary/)
|
|
- Generating, safeguarding, and using the project's [PGP
|
|
keys](https://keys.qubes-os.org/keys/)
|
|
|
|
As a security-oriented operating system, the QST is fundamentally important to
|
|
Qubes, and every Qubes user implicitly trusts the members of the QST by virtue
|
|
of the actions listed above. The Qubes Security Team can be contacted via email
|
|
at the following address:
|
|
|
|
```
|
|
security at qubes-os dot org
|
|
```
|
|
|
|
### Security Team PGP Key
|
|
|
|
Please use the [Security Team PGP
|
|
Key](https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc) to encrypt
|
|
all emails sent to this address. This key is signed by the [Qubes Master
|
|
Signing Key](https://keys.qubes-os.org/keys/qubes-master-signing-key.asc).
|
|
Please see [Verify Signatures](/security/verifying-signatures/) for information
|
|
about how to authenticate these keys.
|
|
|
|
### Members of the Security Team
|
|
|
|
- [Marek Marczykowski-Górecki](/team/#marek-marczykowski-górecki)
|
|
- [Simon Gaiser (aka HW42)](/team/#simon-gaiser-aka-hw42)
|
|
- [Joanna Rutkowska](/team/#joanna-rutkowska) ([emeritus, canaries only](/news/2018/11/05/qubes-security-team-update/))
|