The Asterisk project takes the issue of its users security seriously. If you believe you have found a security vulnerability in the Asterisk software itself, please follow the steps on this wiki page to report the security vulnerability to the Asterisk Development Team.
What Can Be Reported?
- Issues relating to the Asterisk source code or usage.
- Issues in the configuration of a tool the Asterisk project uses.
Reporting a Security Vulnerability
- Send an e-mail to the Asterisk Development Team by e-mailing [email protected] Include the following:
- A summary of the suspected vulnerability, e.g., 'Remotely exploitable buffer overflow in the FOO channel driver'
- A detailed explanation of how the vulnerability can be exploited and/or reproduced. Test drivers/cases that can be used to demonstrate the vulnerability are highly appreciated.
- A developer will respond to your inquiry. If you'd like, e-mails can be signed and/or encrypted.
- Once the developer confirms the security vulnerability is discussed and confirmed you will be asked to report a vulnerability on the Asterisk issue tracker. You must use the "Report a vulnerability" option on the New Issue page or the information will be publicly disclosed.
Security vulnerabilities are treated seriously by the developer community, and the Asterisk Development Team always attempts to address vulnerabilities in a timely fashion. Sometimes, external influences may impact when a security release can be made; feel free to e-mail the developer assigned to the issue or [email protected] to discuss the schedule for a security release for your issue.
Past Security Vulnerabilities
Past security vulnerability reports are available on the asterisk.org web site and on the Asterisk downloads site.
All security vulnerabilities are also issued a CVE number and can be queried in the CVE database.
The Asterisk project does not provide rewards for the submission of security vulnerabilities. Recognition is provided for Asterisk code security vulnerabilities by being named as part of the release notes and security advisory. For security vulnerabilities in infrastructure or non-Asterisk code recognition is not guaranteed and is determined on a case by case basis.