§ Security

If you have an issue to report, please jump to the reporting issues section.

Security is extraordinarily important to us.

Because Flynn is an integrated platform that we control end-to-end we are able to implement many best practices by default and deploy technologies that would be extremely difficult for users to take advantage of on their own.

Now that we’ve reached the point where Flynn is stable enough for the majority of users in production, we are focusing on making Flynn secure by default.

Until we reach the point where everything is secure by default, it’s important to understand what the current security properties of Flynn are.

§ Distribution Security

All binaries that we provide including flynn-host, the flynn CLI tool, and container images are distributed securely using the The Update Framework. TUF includes a robust, role-based signature system and protects against many attacks including downgrades and CDN compromise. In addition to TUF, we serve all content exclusively over HTTPS.

Our Vagrant virtual machine images are served over HTTPS but are not currently signed, as signatures are not supported by Vagrant.

§ Internal Communication

Flynn uses several ports to communicate internally, and currently there is no authentication system for internal communication, so access to these ports must not be exposed to the Internet. A firewall must be configured so that the only Flynn ports accessible are 80 and 443 to prevent compromise. Access to these internal Flynn ports is equivalent to root access, so be careful.

Access to the controller and dashboard is available via HTTPS over port 443, and a randomly generated bearer token is used for authentication. The TLS certificate used for communication is generated during installation. A cryptographic hash of the certificate is pinned as part of the CLI configuration string to prevent man-in-the-middle attacks.

§ Dashboard CA Certificate

A CA certificate is also generated during installation and signs the certificate presented by the controller and dashboard. The private key corresponding associated with the CA certificate is discarded immediately to prevent misuse. The CA certificate is required as a work-around for how browsers handle multiple connections to servers with self-signed certificates. The CA certificate is provided to the browser by the dashboard in order to allow TLS-encrypted communication with the dashboard and the controller. If the Flynn installer is used, this CA certificate is transferred over SSH during installation and will prevent MITM attacks when visiting the dashboard. If the installer is not used, the certificate may be provided over an insecure connection the first time the dashboard is visited, do not install the certificate if the connection is not trusted. In the future we will use Let’s Encrypt to avoid the need for the generated certificates and trust bootstrapping.

§ Applications

Applications run within Flynn are not fully sandboxed and have access to internal Flynn APIs that can be used to gain root access on the server. Do not run untrusted code in Flynn.

There may be other unknown security flaws in Flynn. For the time being we do not recommend running Flynn in environments where there is access to sensitive data or services.

We are currently working to implement and improve basic security practices in Flynn so that it is secure by default, inside and outside. After that, the sky is the limit. Expect to see industry-leading security policies and practices baked into Flynn in the future.

§ Reporting Issues

If you discover a security flaw in Flynn that is not explicitly acknowledged here, please email us at security@flynn.io immediately. We will acknowledge your email as soon as we receive it, within 24 hours, and provide a more detailed response within 48 hours clearly indicating next steps. If you have the ability to use PGP, you can encrypt your email using the public key below.

After the initial reply to your report, we will keep you informed of the progress being made towards a fix and release. These updates will be sent frequently, usually at least every 24-48 hours.

If you do not get a reply to your initial email within 48 hours, please contact a member of the Flynn team directly and ask them to put the security team in touch with you immediately.

If you believe an existing issue is security-related, please send an email to security@flynn.io with the issue number and a description of why it should be treated as a security issue.

§ Disclosure Process

Flynn uses the following coordinated security disclosure process for security issues:

  1. Once a security report is received, it is assigned to a primary handler. This person coordinates the process of communicating with the reporter, fixing the bug, notifying users, and releasing an update.
  2. The issue is confirmed and the affected components and versions are determined.
  3. If a CVE-ID is necessary, one is obtained.
  4. Fixes are prepared for the current and previous stable release and the master branch. These fixes are not committed to the public repository.
  5. An advance notification is sent to the release announcements mailing list to allow users to prepare to apply the fix.
  6. Three days after the notification, the fix is applied to the public repository and new stable and nightly releases are pushed. The stable release will be a hotfix release that only contains the security fix.
  7. As soon as the fix is applied and released, announcements are sent to the release announcements mailing list and posted on the blog. The announcement will contain information on the affected versions, how to update, as well as available options for working around the issue.

The three-day advance announcement may be skipped at our discretion if a security issue becomes known publicly, is determined to be already exploited in the wild, or is in an upstream component that we depend on and we have no advance notice of the issue.

This policy is based on the Go security disclosure policy.

§ Security Announcements

The best way to receive security announcements is to subscribe to the release announcements mailing list. Any messages related to a security issue will have the word security in the subject.

§ PGP Key

pub   4096R/6913B2EF 2015-11-04 [expires: 2017-11-03]
      Key fingerprint = C334 DB91 6744 BD00 B347  0A86 0281 AD75 6913 B2EF
uid                  Flynn Security Team <security@flynn.io>