Security policy

Reporting security bugs

If you think you have found a security bug in OQS software, please send email to security@openquantumsafe.org or submit a security disclosure on Github for liboqs or oqs-provider. If you want to send an encrypted message, you can use this PGP key to email dstebila@uwaterloo.ca. We do not run a bug bounty program.

General principles

We do aim to create reliable, secure software implementing post-quantum cryptography. However, we are primarily a research project focused on prototyping and evaluating post-quantum cryptography, not on creating products, so our response to security issues will be on a best-effort basis, and we do not make guarantees on timelines. Note that many algorithm implementations included in OQS are obtained from other projects; resolving issues may require coordination with other parties and this may affect resolution time.

Note that a cryptanalytic flaw in an algorithm may result in an algorithm being temporarily removed until its creators issue a fix, or permanently removed if broken.

The goal of these integration is to provide easy prototyping of quantum-resistant cryptography and should not be considered “production quality”. Please see more about limitations of our prototype software.

Notification

When we are planning an update that fixes a high severity security issue, we will post an update on our website openquantumsafe.org indicating a planned release date and will notify those who have requested to be added to our notification list (email security@openquantumsafe.org to be added to this list).