2.0 KiB
2.0 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Reporting a Vulnerability
Linux Hello handles sensitive biometric data and integrates with system authentication. We take security vulnerabilities seriously.
How to Report
Please do NOT open public GitHub issues for security vulnerabilities.
Instead, report vulnerabilities by:
- Email: Send details to the project maintainers privately
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
What to Expect
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Status Updates: Every 14 days until resolution
- Credit: Security researchers will be credited (unless anonymity requested)
Scope
The following are in scope for security reports:
- Authentication bypass
- Template extraction or decryption
- Anti-spoofing bypass
- IPC/D-Bus authorization issues
- Memory safety issues
- Privilege escalation
- Information disclosure
Out of Scope
- Social engineering attacks
- Physical attacks requiring extended access
- Attacks requiring TPM hardware exploits
- Denial of service (unless used for auth bypass)
Security Architecture
See the README for details on our security model:
- TPM2 Integration: Hardware-bound encryption
- Anti-Spoofing: Multi-layer liveness detection
- Secure Memory: Automatic zeroization of sensitive data
- IPC Security: Peer credential verification and rate limiting
Security Hardening Recommendations
For production deployments:
- Enable TPM: Set
[tpm] enabled = truein config - Use IR Camera: RGB cameras are explicitly not supported
- Keep Updated: Apply security updates promptly
- Audit Logs: Monitor
/var/log/auth.logfor authentication events - Limit Access: Configure appropriate file permissions