Security Policy

Security Policy#

Overview#

This document outlines how the FlightGear project handles security vulnerabilities.

All contributors (especially maintainers), users, security researchers, and community members are encouraged to review and follow these guidelines.

Security Updates and Advisories#

  • Information about security vulnerabilities are published as CVEs, and can be viewed from any CVE feed.

  • Official advisories will also be posted on the FlightGear website.

Information for Security Researchers#

If you have discovered a security vulnerability in FlightGear, we would like to work with you collaboratively to resolve the issue.

Reporting a Vulnerability#

Attention

Please do not publicly disclose a vulnerability immediately. Instead, please collaborate with us to responsibly disclose the vulnerability, and allow us to time to respond so that we may prepare and distribute a fix to protect our users.

To report a vulnerability, please create a confidential GitLab issue here. Please include as many details as possible about the vulnerability as you can, such as:

  • Description of the vulnerability and its impact

  • Affected FlightGear versions

  • Steps to reproduce or proof of concept

  • Any relevant logs or error messages

What happens next#

After you have submitted a vulnerability, the following steps are taken:

  • Investigation: A member of the FlightGear team will follow-up with you via the GitLab issue, and potentially request additional information.

  • Remediation: We will begin to develop a fix for the vulnerability, creating a new release, and preparing that new release for distribution. In urgent cases, the fix may be backported to older versions of FlightGear.

  • Responsible Disclosure: When a new release containing the fix is available to users, the FlightGear team will file for a CVE through our chosen CNA, GitLab. The CVE will not be published until the release is available. Unless you wish to remain anonymous, you will be credited as the individual that discovered the vulnerability.

What if I don’t hear back from you?

If for some reason you do not hear back from a member of the FlightGear team via the GitLab issue within 90 days, you are encouraged to file for a CVE and publicly disclose the vulnerability, in accordance with responsible disclosure practices.