Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Asterisk project takes the issue of its users security seriously. If you believe you have found a security vulnerability in Asterisk, please follow the steps on this wiki page to report the security vulnerability to the Asterisk Development Team.

Note

The Asterisk project does not produce or work on the underlying tools the project uses, such as JIRA and Gerrit. For security vulnerabilities found in these the report should be directed to the company or project that creates it.

Warning
titleThe Issue Tracker is Public!

The Asterisk Issue Tracker is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting the "Security" issue type makes the entire Asterisk user community vulnerable.

The "Security" issue type will automatically lock down the issue so it can only be viewed by the reporter and bug marshals. If you have any difficulties with that we'll help; please follow the instructions here and e-mail the team at security@asterisk.org.

Warning

The Gerrit Code Review tool is a public site and security fixes should not be placed up on it by a reporter. Patches should be attached to the security issue instead.

What Can Be Reported?

  1. Issues relating to the Asterisk source code or usage.
  2. Issues in the deployment of a tool the Asterisk project uses.

 

Reporting a Security Vulnerability

...

Security vulnerabilities are treated seriously by the developer community, and the Asterisk Development Team always attempts to address vulnerabilities in a timely fashion. Sometimes, external influences may impact when a security release can be made; feel free to e-mail the developer assigned to the issue or security@asterisk.org to discuss the schedule for a security release for your issue.

Note

The Asterisk project does not produce or work on the underlying tools the project uses, such as JIRA and Gerrit. For security vulnerabilities found in these the report should be directed to the company or project that creates it.

 

Past Security Vulnerabilities

...