Skip to content

Security: openwave-labs/openwave

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in OpenWave, please report it responsibly.

How to Report

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please report vulnerabilities by:

  1. Email: Send details to the project maintainers (contact information available in the repository)
  2. GitHub Security Advisories: Use GitHub's private vulnerability reporting feature at Security Advisories

What to Include

When reporting a vulnerability, please include:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any suggested fixes (optional but appreciated)

What to Expect

  • Acknowledgment: We will acknowledge receipt of your report within 48 hours
  • Assessment: We will investigate and assess the severity within 7 days
  • Updates: We will keep you informed of our progress
  • Resolution: We aim to resolve critical vulnerabilities promptly
  • Credit: With your permission, we will credit you in the security advisory

Scope

This security policy applies to:

  • The OpenWave core simulation engine
  • Official OpenWave packages and releases
  • Code in the main repository

This policy does not cover:

  • Third-party dependencies (report to their maintainers)
  • Unofficial forks or modifications
  • Theoretical vulnerabilities without demonstrated impact

Safe Harbor

We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:

  • Make a good faith effort to avoid privacy violations and data destruction
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Report vulnerabilities promptly and do not disclose publicly before resolution
  • Do not use vulnerabilities for malicious purposes

Supported Versions

Version Supported
Latest release Yes
Development (main branch) Yes
Older releases Best effort

Security Best Practices for Users

When using OpenWave:

  • Keep your installation updated to the latest version
  • Review simulation inputs from untrusted sources
  • Run simulations in isolated environments when processing untrusted data
  • Report any suspicious behavior

License

This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the LICENSE file for details.

There aren’t any published security advisories