gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
secubox-openwrt/SECURITY.md
CyberMind-FR 605841e443 docs: v1.0.0 Beta Release - Pen Testing & Bug Bounty Ready 
- BETA-RELEASE.md: Complete security testing guide
  - Attack surface overview (HAProxy, WAF, LXC, P2P)
  - High-value targets and secrets locations
  - Known weak points (intentional disclosure)
  - Bug bounty scope and reporting guidelines
  - Test environment setup (VirtualBox, Docker)

- SECURITY.md: Updated with Hall of Fame and beta info
- README.md: Version bump to 1.0.0-beta

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 18:45:29 +01:00

7.3 KiB
Raw Permalink Blame History

Security Policy

SecuBox Security Disclosure Policy

This document describes the security policy for SecuBox firmware, in compliance with EU Cyber Resilience Act (CRA) Article 13 §6 requirements for Class I products.

Manufacturer: CyberMind Produits SASU Contact: Gérald Kerma, Notre-Dame-du-Cruet, Savoie, France Website: https://cybermind.fr | https://secubox.in

Supported Versions

Version Support Status End of Support
1.0.x Current (Beta) Active development
0.19.x LTS March 2027
0.18.x ⚠️ Security only September 2026
< 0.18 EOL Unsupported

v1.0.0 Beta Release

The v1.0.0 Beta is now available for security testing. See BETA-RELEASE.md for:

  • Attack surface overview
  • High-value targets
  • Known weak points (intentional disclosure)
  • Bug bounty scope and reporting guidelines

Support policy:

  • Current: All bug fixes and security patches
  • LTS (Long Term Support): Critical security patches only, 18 months
  • Security only: Critical vulnerabilities only, 6 months after next major release
  • EOL (End of Life): No updates, upgrade strongly recommended

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Primary Contact

Email: security@cybermind.fr

PGP Key: 0xABCD1234 Fingerprint: 1234 5678 9ABC DEF0 1234 5678 9ABC DEF0 1234 5678

Alternative Contact

For critical vulnerabilities requiring immediate attention:

  • Phone: +33 (0)4 79 XX XX XX (French business hours)
  • Signal: Available upon request via email

Encrypted Communication

We strongly recommend using PGP encryption for vulnerability reports. Our public key is available at:

What to Include

Please provide:

  1. Description: Clear description of the vulnerability
  2. Impact: Potential security impact (confidentiality, integrity, availability)
  3. Affected versions: Which SecuBox versions are affected
  4. Reproduction steps: Step-by-step instructions to reproduce
  5. Proof of concept: Code, logs, or screenshots if applicable
  6. Suggested fix: If you have one (optional)

Response Timeline

Phase Timeline
Acknowledgment Within 48 hours
Initial triage Within 5 business days
Status update Every 7 days during investigation
Fix development Depends on severity (see below)
Public disclosure 90 days after fix, or coordinated

Severity-based fix timeline:

  • Critical (CVSS 9.0+): 7 days
  • High (CVSS 7.0-8.9): 30 days
  • Medium (CVSS 4.0-6.9): 60 days
  • Low (CVSS < 4.0): Next regular release

Software Bill of Materials (SBOM)

As required by CRA Annex I, we publish machine-readable SBOMs for all releases.

SBOM Location

SBOMs are attached to each GitHub Release:

  • CycloneDX 1.6: secubox-VERSION.cdx.json
  • SPDX 2.3: secubox-VERSION.spdx.json
  • CVE Report: secubox-VERSION-cve-report.json
  • Checksums: checksums.sha256

Direct link: https://github.com/cybermind/secubox/releases/latest

SBOM Contents

Our SBOM includes:

  • All OpenWrt base packages
  • SecuBox custom packages and dependencies
  • Kernel modules and firmware blobs
  • Cryptographic libraries and versions
  • License information (SPDX identifiers)
  • PURL (Package URL) identifiers for each component

Verifying SBOM Integrity

# Download SBOM and checksums
wget https://github.com/cybermind/secubox/releases/latest/download/secubox-0.20.cdx.json
wget https://github.com/cybermind/secubox/releases/latest/download/checksums.sha256

# Verify checksum
sha256sum -c checksums.sha256 --ignore-missing

Vulnerability Disclosure (VEX)

We use Vulnerability Exploitability eXchange (VEX) documents to communicate the status of CVEs affecting SecuBox components.

VEX Policy

See docs/vex-policy.md for our full VEX handling policy.

Status definitions:

  • not_affected: CVE does not affect SecuBox (component not used, conditions not met)
  • affected: CVE affects SecuBox, fix in progress
  • fixed: CVE fixed in specified version
  • under_investigation: Analysis ongoing

VEX documents are published alongside releases:

  • secubox-VERSION.vex.json (CycloneDX VEX format)

CRA Compliance Statement

EU Cyber Resilience Act — Class I Declaration

SecuBox is a Class I product under the EU Cyber Resilience Act (Regulation 2024/XXX), as it is a router/VPN appliance with network connectivity functions.

Compliance status:

  • SBOM published in machine-readable format (CycloneDX + SPDX)
  • Vulnerability disclosure contact established
  • Security update mechanism implemented (opkg + secubox-update)
  • Default secure configuration
  • ANSSI CSPN certification: In progress (target Q3 2026)

Certification Path

We are pursuing ANSSI CSPN (Certification de Sécurité de Premier Niveau) certification for SecuBox, targeting completion in Q3 2026.

Certification scope:

  • Firewall functionality
  • VPN (WireGuard) implementation
  • Intrusion detection (CrowdSec integration)
  • Secure boot chain
  • Update integrity verification

Security Architecture

Defense in Depth

SecuBox implements multiple security layers:

  1. Network Segmentation: VLAN isolation, guest network separation
  2. WAF Protection: mitmproxy-based web application firewall
  3. Intrusion Detection: CrowdSec community threat intelligence
  4. Encrypted VPN: WireGuard with modern cryptography
  5. Access Control: SSO portal with MFA support
  6. Audit Logging: Comprehensive security event logging

Data Sovereignty

SecuBox includes an AI Gateway that enforces data classification:

  • LOCAL_ONLY: Sensitive data (IPs, credentials) never leaves device
  • SANITIZED: PII scrubbed before EU cloud processing (Mistral)
  • CLOUD_DIRECT: Generic queries to opted-in providers

See AI Gateway documentation for details.

Third-Party Components

SecuBox builds upon:

We monitor upstream security advisories and integrate patches promptly.

Secure Development Practices

  • Code review: All changes require peer review
  • Dependency scanning: Automated CVE scanning in CI/CD
  • SBOM generation: Automated with each release
  • Reproducible builds: SOURCE_DATE_EPOCH enforced
  • Signed releases: (Planned) cosign signatures for releases

Contact

Address: CyberMind Produits SASU Notre-Dame-du-Cruet 73130 Savoie, France

Hall of Fame

Security researchers who have responsibly disclosed vulnerabilities:

Researcher Date Severity Description
Your name here

We thank all contributors who help make SecuBox more secure.

Last updated: 2026-03-15 Document version: 1.1