From 6c4e0f257f3528c1a4937b57b680a94208b6cbf2 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jul 2026 19:29:14 +0200 Subject: [PATCH 1/3] Create SECURITY.md --- SECURITY.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e3dea7d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,28 @@ +# Security Policy + +## Reporting a Vulnerability + +This project takes security seriously —this is meant literally —not like some companies claim after a breach or other security incident. + +The attack surface of testssl.sh is quite small and thus there should not be any serious blunders. We followed recommeded patterns, e.g. like validate inputs and a lot more. + +However this project was made by humans and despite our dedication there could be still security bugs. If you find one and the impact is not low, please use [Responsible +Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Coordinated_vulnerability_disclosure), see +[github docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/how-tos/report-and-fix-vulnerabilities/report-privately) and report them *privately* . If you happen +to have a PoC, it will be much appreciated but it is not mandatory. Using [Full Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Full_disclosure) might be a problem for the people setting up a website using testssl.sh as a scanner or users. +Also keep in mind that the maintainers here have a professional attitude but this project, it is a spare time project. + + +## Supported Versions + +As said in the Readme.md we only support n-1 versions , n being the branch/minor version: + +| Branches | Supported | +| -------- | ------------------ | +| 3.3dev | :white_check_mark: | +| 3.2.x | :white_check_mark: | +| 3.0.x | :x: | +| <=2.9.5 | :x: | + +For x (patch version) we expect your report to refer to the latest release. For the rolling release version (*dev) please refer to the latest and greatest @ github. + From 1e80984577b84cb241cac681b46fef9dec8a7d2f Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jul 2026 19:52:06 +0200 Subject: [PATCH 2/3] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index e3dea7d..71b1523 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ This project takes security seriously —this is meant literally —not like some companies claim after a breach or other security incident. -The attack surface of testssl.sh is quite small and thus there should not be any serious blunders. We followed recommeded patterns, e.g. like validate inputs and a lot more. +The attack surface of testssl.sh is quite small and thus there should not be any serious blunders. We followed recommended security practises, e.g. like validate inputs and a lot more. However this project was made by humans and despite our dedication there could be still security bugs. If you find one and the impact is not low, please use [Responsible Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Coordinated_vulnerability_disclosure), see From 4e3fdab08e9d4fb1b203839c439eff120815696e Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jul 2026 19:56:35 +0200 Subject: [PATCH 3/3] Update Readme.md --- Readme.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Readme.md b/Readme.md index 6ece533..ff079d8 100644 --- a/Readme.md +++ b/Readme.md @@ -145,6 +145,10 @@ https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your t You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them). +### Security bug reports + +See [SECURITY.md](https://github.com/testssl/testssl.sh/blob/3.3dev/SECURITY.md). + ---- ### External/related projects