The Asterisk Issue Tracker is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting "Report a vulnerability" on the New Issue page makes the entire Asterisk user community vulnerable.
Reporting a vulnerability will automatically restrict who can view the information. If you have any difficulties with that we'll help; please follow the instructions here and e-mail the team at [email protected]
- Send an e-mail to the Asterisk Development Team by e-mailing [email protected] Include the following:
- A summary of the suspected vulnerability, e.g., 'Remotely exploitable buffer overflow in the FOO channel driver'
- A detailed explanation of how the vulnerability can be exploited and/or reproduced. Test drivers/cases that can be used to demonstrate the vulnerability are highly appreciated.
- A developer will respond to your inquiry. If you'd like, e-mails can be signed and/or encrypted.
- Once the developer confirms the security vulnerability is discussed and confirmed you will be asked to report a vulnerability on the Asterisk issue tracker. You must use the "Report a vulnerability" option on the New Issue page or the information will be publicly disclosed.