Security is of paramount importance to the tss-esapi project. We do all we can to identify and fix issues, however some problems might slip through the cracks. Any efforts towards responsible disclosure of security problems are greatly appreciated and your contributions will be acknowledged.

All security vulnerabilities affecting the tss-esapi project - including those reported using the steps highlighted below, those discovered during routine testing, and those found in our dependency tree either through cargo-audit or otherwise - will receive security advisories in a timely manner. The advisories should include sufficient information about the cause, effect, and possible mitigations for the vulnerability. If any information is missing, or you would like to raise a question about the advisories, please open an issue in our repo.

Efforts to mitigate for the reported vulnerabilities will be tracked using GitHub issues linked to the corresponding advisories.

To report a vulnerability, please send an email to [email protected]. We will promptly reply to your report and we will strive to keep you in the loop as we try to reach a resolution.

The authvalue provided to the TPM to perform certain operations like creating Primary Keys is currently randomly generated by getrandom, which assumes "that the system always provides high-quality cryptographically secure random data, ideally backed by hardware entropy sources."

The user of this software should take this into consideration when setting up their system and using this software.