Security

The Termux team takes all security vulnerabilities seriously and we encourage external parties and users to report them. We are also a strong believer of security-through-transparency and we publicly disclose all vulnerabilities that our own team finds or are reported by others as per responsible disclosure timelines.

 

Timeline and Disclosure Policy

1. Once the report sent to us by an external party has been received, it will be triaged by our team to see if it is valid and what its impact is. It will normally be acknowledged within 3 business days if valid and will then be assigned to a maintainer who will handle the communication with the reporter and coordinate the deployment of fixes and the vulnerability disclosure.
2. We will normally deploy fixes for the security vulnerability within 90 days. However, if the vulnerability is being actively exploited, then we aim to deploy fixes within 7 days.
3. After the fixes have been deployed and available to users, the vulnerability report will be disclosed publicly after 30 days on GitHub security advisories and/or on our Termux site security posts.

Check the Termux Security Incident Response Checklist for more info on the actions that will taken when a security vulnerability is reported.

 

Acknowledgement and Rewards

The first entity who reports the vulnerability to us, whether they are in our own Termux team or are an external party, only they will be acknowledged and/or rewarded, depending on if they want to be acknowledged and under what name and link they want to be acknowledged with.

If the vulnerability exists only in older versions than the currently latest version, or if the vulnerability had already been fixed in the public/private git repository before the report was submitted, or if the vulnerability has already been reported or discovered by the maintainers but not yet fixed, then acknowledgements may not be given.

As for rewards, we currently do not have a rewards program, as all Termux services are primarily provided for free (beer) to our users and our Donations are rather limited and do not even cover the development costs itself of our entire team. However, for severe vulnerabilities, we may make an exception and pay out a token reward from our Open Collective, depending on our budget.

The security impact (and any potential reward) is judged based on the actual reported impact of the vulnerability, and not on a potential impact of the vulnerability. Vulnerabilities without a valid attack scenario are not accepted.

 

What To Include in the Report

When reporting, the following things must be considered.

A good quality report has all the relevant details for the security vulnerability and has the following characteristics:

• It must include the repository and the exact component(s) that are affected with a detailed description of the vulnerability.
• It must include the affected version(s) of affected component(s) and any other relevant version numbers, like for OS and hardware device, etc. "Latest version" is not a version name, include exact version name of the component that is affected.
• A proof-of-concept (POC) with a step-by-step explanation that effectively, easily and reliably reproduces the vulnerability, including any test code and its output in the form of text, screenshots or videos. Text is preferred unless vulnerability is visual and the screenshot/video shows the complete output and is not blurred.
• An analysis and demonstration of the impact of the vulnerability.

Additionally:

• If you have coding experience and want to help fix the vulnerability, then a proposed patch can be sent as well and it will be merged if it's the ideal solution.
• We also expect the reporter to be responsive when they are asked questions, and also accurately answer any queries about the vulnerability.
• If you are using a fork of Termux, then you should ideally first verify that the issue is reproducible in the Termux releases we provide before reporting to us. This can also help verify whether the issue exists because of changes in the fork or its config.
• See also How to ask, report and request for more info on what to normally include when reporting bugs to maintainers.
• The Termux community rules must also be followed when reporting and collaborating on security vulnerabilities. Being deliberately offensive or disrespectful to Termux team members will result in a ban.

 

Where To Report

Security vulnerabilities can be reported in two ways:

1. GitHub Security Advisories is the the preferred way to report security vulnerabilities as it is the standard way for open source projects and allows multiple people to securely and privately collaborate on a fix, and our dependents and forks can be notified of the security vulnerabilities as well once it is published.

   You can use the Security tab of the affected repository to report the vulnerability. Check GitHub docs for more info on how to report.

   Note that normal bugs are not security vulnerabilities, and must not be reported to GitHub Security Advisory and instead should be reported as an Issue to its respective repository. Sending repeated non-security bugs to GitHub Security Advisory or sending spam to it will result in a ban.

2. Emails can also be sent to one or more maintainers that (seem to) maintain the affected component, as listed after the repository links in sections below, or as per git history or CODEOWNERS file. Emails should preferably be gpg encrypted to maintain confidentiality from people who may have access to the intermediate mail servers. You can find the public gpg keys of our common maintainers in the termux-keyring package or at the https://github.com/<username>.gpg URL. If the gpg key is not available for any maintainer who is responsible for the affected component, you may send an unencrypted report, or preferably email an encrypted report to @agnostic-apollo ([email protected]) or @Grimler91 ([email protected]), whose keys are available.

 

The following lists the most popular and critical Termux repositories and their maintainers. You may email the respective maintainers if you want to report a vulnerability and cannot use GitHub security advisories, or if private questions/support/discussion is required. For the repositories below that are maintained by the "Termux team", either email to the maintainer that maintains the affected component as per git history or CODEOWNERS file, or email to @agnostic-apollo or @Grimler91.

Termux Apps

• Termux app. (@agnostic-apollo)
• Termux:API app and termux-api package. (@agnostic-apollo)
• Termux:Boot app. (@agnostic-apollo)
• Termux:Float app. (@agnostic-apollo)
• Termux:GUI app and its packages. (@tareksander)
• Termux:Keychain app and termux-keychain package. (@agnostic-apollo)
• Termux:Styling app. (@agnostic-apollo)
• Termux:Tasker app. (@agnostic-apollo)
• Termux:Widget app. (@agnostic-apollo)
• Termux:X11 app and termux-x11-nightly package. (@twaik)

Termux Packages Build and Repository Infrastructure

• termux-packages. (Termux team, see also CODEOWNERS)
• repology-metadata. (@Grimler91, @thunder-coding)

If you have found a security issue in a specific external package not developed by Termux itself, for example openssh, and the issue can be reproduced in non-termux installations as well, then the issue should be reported to the upstream maintainers as well.

Termux Internal Packages

• termux-core package. (@agnostic-apollo)
• termux-elf-cleaner package. (@Grimler91, @thunder-coding)
• termux-exec package. (@agnostic-apollo)
• proot package. (@michalbednarski)
• proot-distro package. (@sylirre)
• termux-tools package. (Termux team)

Termux Site

• termux.github.io. (@agnostic-apollo)