From d767188dc8adb721e02e2bbbb1e343b72da502e7 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2026 22:09:33 +0200 Subject: [PATCH 1/5] Create SECURITY.md --- SECURITY.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..71b1523 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,28 @@ +# Security Policy + +## Reporting a Vulnerability + +This project takes security seriously —this is meant literally —not like some companies claim after a breach or other security incident. + +The attack surface of testssl.sh is quite small and thus there should not be any serious blunders. We followed recommended security practises, e.g. like validate inputs and a lot more. + +However this project was made by humans and despite our dedication there could be still security bugs. If you find one and the impact is not low, please use [Responsible +Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Coordinated_vulnerability_disclosure), see +[github docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/how-tos/report-and-fix-vulnerabilities/report-privately) and report them *privately* . If you happen +to have a PoC, it will be much appreciated but it is not mandatory. Using [Full Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Full_disclosure) might be a problem for the people setting up a website using testssl.sh as a scanner or users. +Also keep in mind that the maintainers here have a professional attitude but this project, it is a spare time project. + + +## Supported Versions + +As said in the Readme.md we only support n-1 versions , n being the branch/minor version: + +| Branches | Supported | +| -------- | ------------------ | +| 3.3dev | :white_check_mark: | +| 3.2.x | :white_check_mark: | +| 3.0.x | :x: | +| <=2.9.5 | :x: | + +For x (patch version) we expect your report to refer to the latest release. For the rolling release version (*dev) please refer to the latest and greatest @ github. + From 789a64b7d7045e70e7e4d0bb7c937a605b5af50f Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2026 22:14:08 +0200 Subject: [PATCH 2/5] copied over from 3.3dev * comments instead of backticks * AI section * asking for some more info --- .github/ISSUE_TEMPLATE/bug_report.md | 32 +++++++++++++++++++--------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 2dd2ccb..2c3d639 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -11,31 +11,43 @@ assignees: '' _Feel free to remove this line but please stick to the template. We would like to reproduce the bug and therefore need concise information. Depending on the lack of information provided we might close your issue otherwise right away. _ --> +**General remark** + +It's much appreciated if you spot bugs and file them! Please keep in mind though that you'd need to enable us to reproduce what you encountered. If otherwise we need to play ping-pong it costs time on our side we'd rather like to spend on the development. + **Before you open an issue please check which version you are running and whether it is the latest in stable / dev branch** -I am running version (``git log | head -1`` if running from the git repo. Otherwise ``testssl.sh -v | grep from``) +- [ ] I am running version from the git repo : +- [ ] I am running: +- [ ] Different version, check for updates here: -**Before you open an issue please whether this is a known problem by searching the issues** +**Before you open an issue please consult the [FAQ](https://github.com/testssl/testssl.sh/blob/3.3dev/FAQ.md) and check whether this is a known problem by searching the [issues](https://github.com/testssl/testssl.sh/issues)** -Is related to / couldn't find anything +- [ ] Is related to ... +- [ ] couldn't find anything -**Command line / docker command to reproduce** +**Command line to reproduce (or docker command)** -Which was your command line? In addition the target of your scan would be helpful. If you don't want to disclose it publicly: ``grep SWCONTACT testssl.sh``. +Which was your command line? In addition the target of your scan is often needed to reproduce what happened. If you don't want to disclose it publicly: ``grep SWCONTACT testssl.sh``. **Expected behavior** -A clear and concise description of what you would expect to happen. +A clear and concise description of what you would expect to happen instead. **Your system (please complete the following information):** - - OS: ``awk -F\" '/PRETTY_NAME/ { print $2 }' /etc/os-release`` - - Platform: ``uname -srm`` - - OpenSSL + bash: ``testssl.sh -b 2>/dev/null | grep Using`` + - OS: + - Platform: + - OpenSSL + bash: + +**AI section** +- [ ] I found a bug using LLM version: +- [ ] It was just me + **Additional context** -Add any other context about the problem goes here. +Any other context about the problem goes here. From 5453f9c26ff3fcaedbc447f2b1c4a309db5ca0d1 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2026 22:25:49 +0200 Subject: [PATCH 3/5] copied over from 3.3dev * Links * AI section --- .github/pull_request_template.md | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index b79171a..eb1f168 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,22 +1,39 @@ + ## What is your pull request about? - [ ] Bug fix - [ ] Improvement - [ ] New feature (adds functionality) -- [ ] Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected) -- [ ] Typo fix +- [ ] Breaking change: bug fix, feature or improvement that would cause existing output (especially JSON, CSV) to not work as expected before +- [ ] Typo / spelling fix - [ ] Documentation update - [ ] Update of other files ## If it's a code change please check the boxes which are applicable - [ ] For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars -- [ ] I've read CONTRIBUTING.md and Coding_Convention.md +- [ ] I've read [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) +- [ ] My code follows [Coding_Convention.md](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md) - [ ] I have tested this __fix__ or __improvement__ against >=2 hosts and I couldn't spot a problem - [ ] I have tested this __new feature__ against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem - [ ] For the __new feature__ I have made corresponding changes to the documentation and / or to ``help()`` -- [ ] If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md +- [ ] If it's a bigger change: I added myself to [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md) (alphabetical order of last name) and the change to [CHANGELOG.md](https://github.com/testssl/testssl.sh/blob/3.2/CHANGELOG.md) + +## AI section +- [ ] I found a bug / an improvement using LLM version: `[e.g. GPT-A.B, Claude A.B, Gemini A.B , Qwen-Coder, DeepSeek- etc.]` +- [ ] My contribution does not include any AI-generated content +- [ ] My contribution includes AI-generated content, as disclosed below: + - AI Tools: `[e.g. GitHub CoPilot, JetBrains Junie, VS Code plugin etc.]` + - LLMs and versions: `[e.g. GPT-A.B, Claude A.B, Gemini A.B , Qwen-Coder, DeepSeek- etc.]` + From e6f9e3e36491f97feebadf3c2fd9714f6cfcbc6e Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2026 22:35:50 +0200 Subject: [PATCH 4/5] Add SECURITY.md Minor updates from 3.3dev --- Readme.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Readme.md b/Readme.md index 0103d26..a1f1704 100644 --- a/Readme.md +++ b/Readme.md @@ -11,7 +11,7 @@ [![CI test MacOS](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_macos.yml/badge.svg?branch=3.2)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests_macos.yml) [![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md) ![Mastodon Follow](https://img.shields.io/mastodon/follow/109319848143024146?domain=infosec.exchange) -[![Bluesky](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dtestssl.bsky.social&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20%40testssl.sh) +![Bluesky](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dtestssl.bsky.social&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20%40testssl.sh) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) `testssl.sh` is a free command line tool which checks a server's service on @@ -30,8 +30,8 @@ cryptographic flaws. * Reliability: features are tested thoroughly. * Privacy: It's only you who sees the result, not a third party. * Freedom: It's 100% open source. You can look at the code, see what's going on. -* The development is free and open @ GitHub and participation is welcome. -* Unit tests ensure maturity (output is consistent, JSON is valid, runs under Linux+MacOS etc) +* The development is free and open @ GitHub. Participation and contributions are welcome. +* Unit tests ensure maturity: check for consistency, whether JSON is valid, runs under Linux+MacOS, and a lot more! ### License @@ -101,7 +101,7 @@ Given the current manpower we only support n-1 versions. We started a 3.3.dev br * .. it is there for reading. Please do so :-) -- at least before asking questions. See man page in groff, html and markdown format in `~/doc/`. * [https://testssl.sh/](https://testssl.sh/) will help to get you started. * There's also an [AI generated doc](https://deepwiki.com/testssl/testssl.sh), see also below. -* Will Hunt provides a longer [description](https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/) for an older version (2.8), including useful background information. +* Will Hunt provided a longer [description](https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/). While it was written for an older version (2.8), it still includes background information. ### Contributing @@ -121,6 +121,10 @@ https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your t You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them). +### Security bug reports + +See [SECURITY.md](https://github.com/testssl/testssl.sh/blob/3.2/SECURITY.md). + ---- ### External/related projects From 7c41e22ea2f0b9ed935a28782e15b327ae6e43e2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 14 Jul 2026 22:42:02 +0200 Subject: [PATCH 5/5] 3.3dev --> 3.2 --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 2c3d639..70fd7dd 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -22,7 +22,7 @@ It's much appreciated if you spot bugs and file them! Please keep in mind though - [ ] Different version, check for updates here: -**Before you open an issue please consult the [FAQ](https://github.com/testssl/testssl.sh/blob/3.3dev/FAQ.md) and check whether this is a known problem by searching the [issues](https://github.com/testssl/testssl.sh/issues)** +**Before you open an issue please consult the [FAQ](https://github.com/testssl/testssl.sh/blob/3.2/FAQ.md) and check whether this is a known problem by searching the [issues](https://github.com/testssl/testssl.sh/issues)** - [ ] Is related to ... - [ ] couldn't find anything