We take the security of Cosmian KMS seriously. If you discover a security vulnerability, please report it responsibly by following these steps:
Please do not report security vulnerabilities through public GitHub issues. Instead, please use one of the following methods:
- GitHub Security Advisories (Preferred): Use the private vulnerability reporting feature on GitHub
- Email: Send details to [email protected]
When reporting a vulnerability, please include as much of the following information as possible:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information
- Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours
- Investigation: We will investigate and validate the vulnerability within 5 business days
- Fix Development: We will work to develop and test a fix as quickly as possible
- Disclosure: We will coordinate the disclosure timeline with you
The following table lists security advisories that are currently being tracked or have been assessed for this project:
| ID | Description | Status | Reason |
|---|---|---|---|
| RUSTSEC-2023-0071 | RSA crate vulnerability affecting signature verification | Ignored | Under evaluation - specific use case may not be affected |
RUSTSEC-2023-0071: This advisory affects the RSA crate used for cryptographic operations. The vulnerability relates to signature verification processes. This advisory is currently ignored as our security team is evaluating whether the specific usage patterns in Cosmian KMS are affected by this vulnerability.
When using Cosmian KMS, we recommend:
- Keep Updated: Always use the latest supported version
- Secure Configuration: Follow the security configuration guidelines in our documentation
- Network Security: Deploy KMS behind appropriate network security controls
- Access Control: Implement proper authentication and authorization mechanisms
- Monitoring: Enable logging and monitoring for security events
Cosmian KMS supports FIPS 140-3 compliance when built with FIPS features enabled. The FIPS build uses OpenSSL 3.2.0 in FIPS mode for cryptographic operations.
This project undergoes regular security assessments. The configuration files .cargo/audit.toml and deny.toml are maintained to track and manage security advisories affecting our dependencies.
For general security questions or concerns, please contact us at [email protected].
For immediate security issues, please use the private reporting methods described above.