The Security Team takes security very seriously and its developers are constantly working on making our products as secure as possible. This page will provide information about recent security vulnerabilities, what to do in the event of a security vulnerability affecting your system, and how to report vulnerabilities.
All security issues should be reported to the Security Team. All reports should at least contain:
The PGP key fingerprint is:
E345 EF8C 4539 E974 943C 831D 13B9 87FD 9214 F8DA
The PGP key ID is:
After this information has been reported the Security Team we will get back to you.
As a general policy, the Security Team favors full disclosure of vulnerability information after a reasonable delay to permit safe analysis and correction of a vulnerability, as well as appropriate testing of the correction, and appropriate coordination with other affected parties.
The Security Team may bring additional Netgate developers or outside developers into discussion of a submitted security vulnerability if their expertise is required to fully understand or correct the problem. Appropriate discretion will be exercised to minimize unnecessary distribution of information about the submitted vulnerability, and any experts brought in will act in accordance of Security Team policies.
If a release process is underway, the Release Engineer may also be notified that a vulnerability exists, and its severity, so that informed decisions may be made regarding the release cycle and any serious security bugs present in software associated with an up-coming release. If requested, the Security Team will not share information regarding the nature of the vulnerability with the Release Engineer, limiting information flow to existence and severity.
Submitters should be careful to explicitly document any special information handling requirements.
If the submitter of a vulnerability is interested in a coordinated disclosure process with the submitter and/or other vendors, this should be indicated explicitly in any submissions. In the absence of explicit requests, the Security Team will select a disclosure schedule that reflects both a desire for timely disclosure and appropriate testing of any solutions. Submitters should be aware that if the vulnerability is being actively discussed in public forums, and actively exploited, the Security Team may choose not to follow a proposed disclosure timeline in order to provide maximum protection for the user base.