Security

We've created a security program that encompasses multiple control areas across our platforms. This program aligns with the ISO 27001/27002, CCPA, and GDPR frameworks, which provide a comprehensive security strategy and a diligent defense-in-depth approach to data protection.

The controls we implement incorporate various domains across the organization, from configuration and vulnerability management to security operations, architecture, and our people.

We're proud of what we've created, but we're not done yet. With the help of the community, we can continue to build our program and create a stronger and more secure platform for everyone to use.

If you're a support customer, please report security issues by logging in to the OpenNMS support portal.

Horizon community members, security researchers, and the general public should submit security-related issues to [email protected].

We welcome the development community to review our code on GitHub and contribute to security improvements.

OpenNMS follows these guidelines to responsibly disclose security vulnerabilities:

• We do not publish vulnerabilities before releasing a fix
• We do not publish exact details, such as proof-of-concept code
• Unless instructed otherwise, OpenNMS will publicly acknowledge (via release notes and/or CVE) anyone that responsibly discloses vulnerabilities, following the same rules. Employees and contractors of OpenNMS and affiliates are excluded from public disclosure.

OpenNMS does not provide monetary awards for discovered vulnerabilities. However, we greatly appreciate the time and effort that goes into vulnerability discovery, and we thank you for your contributions.

In the past, OpenNMS Meridian (and other monitoring systems) relied on the built-in security provided by restricted-access private networks. However, private networks create a false "hard perimeter" sense of security, making them easy targets for insider threats, malware, and ransomware. Accessing Internet, cloud-based services, and distributed data centers from private networks punches holes in that hard perimeter.

Zero-trust architectures help adapt traditional IT infrastructure to today's highly connected services- and cloud-reliant world. This approach:

• Requires encryption, even within private networks, to protect data confidentiality and integrity. This helps prevent eavesdropping and tampering.
• Uses strong authentication to ensure that parties only communicate with authorized partners—within or outside of private networks.

We also offer OpenNMS Meridian configurations that adhere to these principles. Contact our technical support team for assistance about hardening your monitoring installation.