Security2023-09-20T11:26:18-04:00

Security

Our security program encompasses all aspects of OpenNMS. This includes our people, processes, and products, focusing on configuration and vulnerability management, security operations, architecture, and more.

We're guided by open source principals—sharing and collaborating with the greater community to help us continually improve and strengthen our offerings.

Security at OpenNMS

Report security issues

Learn about zero-trust

Read the security blog

Our approach to security

We've created a security program that encompasses multiple control areas across our platforms. This program aligns with the ISO 27001/27002, CCPA, and GDPR frameworks, which provide a comprehensive security strategy and a diligent defense-in-depth approach to data protection.

The controls we implement incorporate various domains across the organization, from configuration and vulnerability management to security operations, architecture, and our people.

We're proud of what we've created, but we're not done yet. With the help of the community, we can continue to build our program and create a stronger and more secure platform for everyone to use.

Report security issues

If you're a support customer, please report security issues by logging in to the OpenNMS support portal.

Horizon community members, security researchers, and the general public should submit security-related issues to [email protected].

We welcome the development community to review our code on GitHub and contribute to security improvements.

OpenNMS follows these guidelines to responsibly disclose security vulnerabilities:

  • We do not publish vulnerabilities before releasing a fix
  • We do not publish exact details, such as proof-of-concept code
  • Unless instructed otherwise, OpenNMS will publicly acknowledge (via release notes and/or CVE) anyone that responsibly discloses vulnerabilities, following the same rules. Employees and contractors of OpenNMS and affiliates are excluded from public disclosure.

OpenNMS does not provide monetary awards for discovered vulnerabilities. However, we greatly appreciate the time and effort that goes into vulnerability discovery, and we thank you for your contributions.

Zero-trust architecture principles

In the past, OpenNMS Meridian (and other monitoring systems) relied on the built-in security provided by restricted-access private networks. However, private networks create a false "hard perimeter" sense of security, making them easy targets for insider threats, malware, and ransomware. Accessing Internet, cloud-based services, and distributed data centers from private networks punches holes in that hard perimeter.

Zero-trust architectures help adapt traditional IT infrastructure to today's highly connected services- and cloud-reliant world. This approach:

  • Requires encryption, even within private networks, to protect data confidentiality and integrity. This helps prevent eavesdropping and tampering.
  • Uses strong authentication to ensure that parties only communicate with authorized partners—within or outside of private networks.

The OpenNMS Appliance comes preconfigured with encrypted communications, encrypted hard disks, secure boot via encrypted TPM modules, and digitally signed software that has been vetted by certified security penetration testers. And it gives you an inside-out view of your network or network segments.

We also offer OpenNMS Meridian configurations that adhere to these principles. Contact our technical support team for assistance about hardening your monitoring installation.

Keep reading

Questions?

Want to learn more about OpenNMS, our products, and how they fit into your environment?

Get in touch—we're here for you.

Read the documentation

Learn how to deploy, configure, and operate OpenNMS—from first time log-ins to deep dives for technical users.

Go to Top