Skip to end of metadata
Go to start of metadata

The Asterisk project takes the issue of its users security seriously. If you believe you have found a security vulnerability in the Asterisk software itself, please follow the steps on this wiki page to report the security vulnerability to the Asterisk Development Team.


The Asterisk project does not produce or work on the underlying tools the project uses, such as JIRA and Gerrit. For security vulnerabilities found in these the report should be directed to the company or project that creates it. We will however accept reports related to the configuration of those tools.

The Issue Tracker is Public!


The Asterisk Issue Tracker is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting the "Security" issue type makes the entire Asterisk user community vulnerable.

The "Security" issue type will automatically lock down the issue so it can only be viewed by the reporter and bug marshals. If you have any difficulties with that we'll help; please follow the instructions here and e-mail the team at [email protected]


The Gerrit Code Review tool is a public site and security fixes should not be placed up on it by a reporter. Patches should be attached to the security issue instead.

What Can Be Reported?

  1. Issues relating to the Asterisk source code or usage.
  2. Issues in the configuration of a tool the Asterisk project uses.


Reporting a Security Vulnerability

  1. Send an e-mail to the Asterisk Development Team by e-mailing [email protected] Include the following:
    1. A summary of the suspected vulnerability, e.g., 'Remotely exploitable buffer overflow in the FOO channel driver'
    2. A detailed explanation of how the vulnerability can be exploited and/or reproduced. Test drivers/cases that can be used to demonstrate the vulnerability are highly appreciated.
  2. A developer will respond to your inquiry. If you'd like, e-mails can be signed and/or encrypted.
  3. Once the developer confirms the security vulnerability is discussed and confirmed you will be asked to create an issue on the Asterisk issue tracker of type "Security". You must use a "Security" issue type or the information will be publicly disclosed.

Security vulnerabilities are treated seriously by the developer community, and the Asterisk Development Team always attempts to address vulnerabilities in a timely fashion. Sometimes, external influences may impact when a security release can be made; feel free to e-mail the developer assigned to the issue or [email protected] to discuss the schedule for a security release for your issue.


Past Security Vulnerabilities

Past security vulnerability reports are available on the web site and on the Asterisk downloads site.

All security vulnerabilities are also issued a CVE number and can be queried in the CVE database.

Participating in Security Issues

All Asterisk Developers who have commit access are welcome to participate in the development of solutions to security issues. Security issues can be viewed in JIRA using the label Security:

When a new security issue is created, an e-mail will be sent to the asterisk-dev mailing list notifying the community of the issue. This e-mail will not contain any information about the vulnerability, and will merely contain a link to the new security issue.

When a patch is ready to be peer reviewed on Gerrit, a review will be created using the review project Security-asterisk. This project is not normally visible to Gerrit users, is invite only, and generates no e-mails to the asterisk-dev mailing list. Users who have the Bug Marshal permission in JIRA are invited to participate in the review process.


Please exercise caution when participating in security issues. It is far better to 'test' a reply or message on an issue, e-mail, or review than to leak information.

Once the patch has been peer reviewed, it should not be committed. Committing the patch must be coordinated as an overall security release. This is typically handled by the affected branch maintainers.


The Asterisk project does not provide rewards for the submission of security vulnerabilities. Recognition is provided for Asterisk code security vulnerabilities by being named as part of the release notes and security advisory. For security vulnerabilities in infrastructure or non-Asterisk code recognition is not guaranteed and is determined on a case by case basis.

  • No labels