The Asterisk project takes the issue of its users security seriously. If you believe you have found a security vulnerability in Asterisk, please follow the steps on this wiki page to report the security vulnerability to the Asterisk Development Team.
Reporting a Security Vulnerability
- Send an e-mail to the Asterisk Development Team by e-mailing firstname.lastname@example.org. Include the following:
- A summary of the suspected vulnerability, e.g., 'Remotely exploitable buffer overflow in the FOO channel driver'
- A detailed explanation of how the vulnerability can be exploited and/or reproduced. Test drivers/cases that can be used to demonstrate the vulnerability are highly appreciated.
- A developer will respond to your inquiry. If you'd like, e-mails can be signed and/or encrypted.
- A private issue will be created by a bug marshal in the Asterisk issue tracker for your vulnerability.
- The bug marshal will lock the issue down and change the reporter to your user account. only at that point should you post details to the locked issue.
Security vulnerabilities are treated seriously by the developer community, and the Asterisk Development Team always attempts to address vulnerabilities in a timely fashion. Sometimes, external influences may impact when a security release can be made; feel free to e-mail the developer assigned to the issue or email@example.com to discuss the schedule for a security release for your issue.
Past Security Vulnerabilities
All security vulnerabilities are also issued a CVE number and can be queried in the CVE database.
Participating in Security Issues
All Asterisk Developers who have commit access are welcome to participate in the development of solutions to security issues. Security issues can be viewed in JIRA using the label
When a new security issue is created, an e-mail will be sent to the asterisk-dev mailing list notifying the community of the issue. This e-mail will not contain any information about the vulnerability, and will merely contain a link to the new security issue.
When a patch is ready to be peer reviewed on Gerrit, a review will be created using the review project Security-asterisk. This project is not normally visible to Gerrit users, is invite only, and generates no e-mails to the asterisk-dev mailing list. Users who have the Bug Marshal permission in JIRA are invited to participate in the review process.
Once the patch has been peer reviewed, it should not be committed. Committing the patch must be coordinated as an overall security release. This is typically handled by the affected branch maintainers.