Security
Our security program encompasses all aspects of OpenNMS. This includes our people, processes, and products, focusing on configuration and vulnerability management, security operations, architecture, and more.
We're guided by open source principals—sharing and collaborating with the greater community to help us continually improve and strengthen our offerings.
Security at OpenNMS
Our approach to security
We've created a security program that encompasses multiple control areas across our platforms. This program aligns with the ISO 27001/27002, CCPA, and GDPR frameworks, which provide a comprehensive security strategy and a diligent defense-in-depth approach to data protection.
The controls we implement incorporate various domains across the organization, from configuration and vulnerability management to security operations, architecture, and our people.
We're proud of what we've created, but we're not done yet. With the help of the community, we can continue to build our program and create a stronger and more secure platform for everyone to use.
Report security issues
If you're a support customer, please report security issues by logging in to the OpenNMS support portal.
Horizon community members, security researchers, and the general public should submit security-related issues to [email protected].
We welcome the development community to review our code on GitHub and contribute to security improvements.
OpenNMS follows these guidelines to responsibly disclose security vulnerabilities:
- We do not publish vulnerabilities before releasing a fix
- We do not publish exact details, such as proof-of-concept code
- Unless instructed otherwise, OpenNMS will publicly acknowledge (via release notes and/or CVE) anyone that responsibly discloses vulnerabilities, following the same rules. Employees and contractors of OpenNMS and affiliates are excluded from public disclosure.
OpenNMS does not provide monetary awards for discovered vulnerabilities. However, we greatly appreciate the time and effort that goes into vulnerability discovery, and we thank you for your contributions.
Zero-trust architecture principles
In the past, OpenNMS Meridian (and other monitoring systems) relied on the built-in security provided by restricted-access private networks. However, private networks create a false "hard perimeter" sense of security, making them easy targets for insider threats, malware, and ransomware. Accessing Internet, cloud-based services, and distributed data centers from private networks punches holes in that hard perimeter.
Zero-trust architectures help adapt traditional IT infrastructure to today's highly connected services- and cloud-reliant world. This approach:
- Requires encryption, even within private networks, to protect data confidentiality and integrity. This helps prevent eavesdropping and tampering.
- Uses strong authentication to ensure that parties only communicate with authorized partners—within or outside of private networks.
The OpenNMS Appliance comes preconfigured with encrypted communications, encrypted hard disks, secure boot via encrypted TPM modules, and digitally signed software that has been vetted by certified security penetration testers. And it gives you an inside-out view of your network or network segments.
We also offer OpenNMS Meridian configurations that adhere to these principles. Contact our technical support team for assistance about hardening your monitoring installation.
Keep reading
Secure OpenNMS Meridian: Get started with the reference architecture
Secure your Meridian deployment Simply deploying a monitoring solution, like OpenNMS Meridian, opens up new security challenges and implications. Fortunately, [...]
What is Network Segmentation?
Network segmentation is the process of dividing a network into smaller, more manageable pieces (segments) to improve its security posture. [...]