
OpenSSL Security Policy - protomyth
https://www.openssl.org/policies/secpolicy.html
======
protomyth
_Threat Model_

 _Certain threats are currently considered outside of the scope of the OpenSSL
threat model. Accordingly, we do not consider OpenSSL secure against the
following classes of attacks:_

 _same physical system side channel_

 _CPU /hardware flaws_

 _physical fault injection_

 _physical observation side channels (e.g. power consumption, EM emissions,
etc)_

 _Mitigations for security issues outside of our threat scope may still be
addressed, however we do not class these as OpenSSL vulnerabilities and will
therefore not issue CVEs for any mitigations to address these issues._

We are working towards making the same physical system side channel attacks
very hard.*

 _Prior to the threat model being included in this policy, CVEs were sometimes
issued for these classes of attacks. The existence of a previous CVE does not
override this policy going forward._

