Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The Asterisk project takes the issue of its users security seriously. If you believe you have found a security vulnerability in Asterisk, please follow the steps on this wiki page to report the security vulnerability to the Asterisk Development Team.

The Issue Tracker is Public!

Icon

The Asterisk Issue Tracker is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly locking the issue makes the entire Asterisk user community vulnerable.

The issue tracker does have the ability to lock issues privacy to only the bug reporter and bug marshals; however, if you do not feel confident in creating such an issue, don't worry about filing the issue. We'll help you with that; please follow the instructions here and e-mail the team at security@asterisk.org.

Reporting a Security Vulnerability

  1. Send an e-mail to the Asterisk Development Team by e-mailing security@asterisk.org. Include the following:
    1. A summary of the suspected vulnerability, e.g., 'Remotely exploitable buffer overflow in the FOO channel driver'
    2. A detailed explanation of how the vulnerability can be exploited and/or reproduced. Test drivers/cases that can be used to demonstrate the vulnerability are highly appreciated.
  2. A developer will respond to your inquiry. If you'd like, e-mails can be signed and/or encrypted.
  3. A private issue will be created in the Asterisk issue tracker for your vulnerability. If you feel comfortable making a private issue in the issue tracker, you may also choose to do this.

Security vulnerabilities are treated seriously by the developer community, and the Asterisk Development Team always attempts to address vulnerabilities in a timely fashion. Sometimes, external influences may impact when a security release can be made; feel free to e-mail the developer assigned to the issue or security@asterisk.org to discuss the schedule for a security release for your issue.

Past Security Vulnerabilities

Past security vulnerability reports are available on the asterisk.org web site and on the Asterisk downloads site.

All security vulnerabilities are also issued a CVE number and can be queried in the CVE database.

  • No labels