SECURITY REPORT
We take security very seriously. If you have discovered a security vulnerability in one of our projects and you would like to report it to us, you can send an encrypted message to our Security Entry Point at sep@nlnetlabs.nl.
To encrypt your message, GnuPG is available as free and open source software.
Please allow us a reasonable timeframe to formulate a response and do not send security issues to public lists. If desired, we will fully credit the reporter.
If a flaw is found we intend to provide security patches, for free, to the general public. In addition, we strive to be transparent about the nature, cause and impact of security flaws. Since the announcement of a security flaw may trigger the creation of exploits, we strive to balance transparency about flaws with the impact exploits might have on the Internet and its users.
We will follow specific internal guidelines, though circumstances may force us to not apply this policy in full. End of support for the software by NLnet Labs will be publicly announced two years in advance. All security vulnerabilities will be identified with dedicated CERT vulnerability tracking numbers.
In general, the security patches are distributed according to the following priority:
- Customers with a Gold support contract and the party that reported the vulnerability, under non-disclosure
- Special Interest groups, under non-disclosure. These are entities that operate our project in an environment that is critical to the general public, as well as known Open Source platform Operating System maintainers
- Customers with a Silver support contract, under non-disclosure
- Customers with a Bronze support contract, under non-disclosure
- The general public
With regards to these five groups, we will take the following considerations:
- The time scale on which publish/distribute security patches differently depending on the nature of the security issue. If the issue is widely known or exploited at the moment we have developed a patch (zero day) we intend to release the patch as soon as possible to the widest audience possible, which collapses stages 1 through 5 above to the order of days.
- If the issue is not yet public, we intend to release security patches to the general public on a short timescale, in the order of weeks.
- If we cannot find a fix for the security vulnerability, we obviously cannot provide code and may seek assistance. In order to prevent zero-day exploits information about (the existence of) these types of vulnerabilities may only be shared under non-disclosure with category 1, and if circumstances dictate with category 2.
- We provide patches for the latest released software version i.e. the latest major, minor, patch level release.
- In general, we provide support for the previous major release for one year after its deprecation. We therefore also provide security patches for major releases from one year past. A major release is the increment in the first version number.
Please keep in mind that our projects are made available under the BSD or Mozilla public license and come with ABSOLUTELY NO WARRANTY.
Please do not use our Security Entry Point for bug reports or feedback about our website. Bug reports can be submitted for each project on GitHub. Any other feedback can be sent to us via labs@nlnetlabs.nl.
Security Entry Point Security Key
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFzBgNgBEADLyZVMshj52hHncd1W1ac/gAYmM059RCaoPWW9aha5XuvxYOSL qKDVAAFmKLPp988PGx/igHCG9jNYkL3m/2pNm9aPxkfyaz1O99yBX4V1O+D8GOhi cFOs9gduPXfWcC3wA07Nj4rh8Kgbpp8AxgnQm00F05zCOgzrvskEybtk3nTmFCZZ q0SQWuNeWL2U/cE3qTySOrJ36VXrBuADc3qpEqCMhLu+gMpBzxzge8IQTsGsuBgL SY/Y8KOlIsbmB6NGb7yRAx56MRXL4NxNUDSnofskqu0HlH/8nWc8zz+Hn+O80XwK /hZucpNUp1aM+3wegB2w7heva504wMWJOFnJ4VDi0JjVLbCLA267+w7dU0Vou0XX ygYRPKNQLeqhPUYRNBW3R3Zv8lnaPljBUUJYT/qLb4wDSUxiTmGKluFc9kM/Pnb9 V8FX355JQ4l4Bl0Uy2GbNDUmJKE5W4JmEqkzlg9vMOo1TKiKPCUP7zyW69Vdt5gQ 5eQ8CdNXFg1AKx5/Gw/LGzh2FgyinT5TadYfisJP9GcJW2ZYnzXQQtzz64bKVm1b 9Ybl3JvD3O5dsu0AZ+vPKJwgKsxCDu25RqUKqcTFIONDGUeQtAgWYdAVxfoia+sI W57Rl9dBLQDU+a/KsA2VpZpQwLf95PzJZ4V6TDKxU7Anq4Eu8RhT1Heg+wARAQAB tCdTZWN1cml0eSBFbnRyeSBQb2ludCA8c2VwQG5sbmV0bGFicy5ubD6JAk4EEwEK ADgWIQRufAyrwKQ8uloBmOjMMZx+fdStAAUCXMGA2AIbAwULCQgHAwUVCgkICwUW AgMBAAIeAQIXgAAKCRDMMZx+fdStAP1sD/9UMLA4yPplogGruIwd8dL1NyS/I72H oDuPk2PJ9qdRHq+4fll8NLB9mfFo+sZvcSfR7UK05NnMEV7pGefKRpAuidfR0AKU yf5a1yUasF5Ivh5pX6M+KcswscurrPCZqFRjItzfQ+sIl7c+f40sV40qk1lVRO5t p2aQacRUoKDaO2qhc7K3arvz8IXYfPbonUcbGK3+hFP6/Ag4bAzxw33CoPpD+Rpd x7Ik5/ng6QLFVM5n6cQGGdzSnHuihoOl5L0kqI/D3Z8a3BoFr451u2EPekzQ0n1c iUHWNtwqs8OgEJPmhFDebV1eGgduIoL8X3x01DAYB29hR7SvZX4J1SC+Jwlt3UE0 qRA1j6W4flZFMf9L/GNA4Llz0xstB3O3jDdt1WXN/k2loTyipcxJL2afxabJwqAC YFE38vqIBzJ0OTNV6guUg/NDfblRlCkZaBctnQLkV7LRoXwaR5w7AUMeHmZ8Az8U rDR27q0v6SsGfEYZfKNmX6qM8lWShp1DD3wLJeK9BIn291RqMOzBxz64TASXjhGX VHLNYSTvQzFsDn2FMlcO+F0vFEF0c77QXbwYMPhs9LsPnU2dV6qhOvFppfr5nfKc xSI8ALPYLEVrmJe+pIU3j07F+c56Z7gXejywRA0qhHXwRntoOp0NKPGRmY3tLbyg +D6COT/1X+aF/4kCMwQQAQoAHRYhBLflxeOG3VADrVcT4KyJmI3Lf/3xBQJcwYZm AAoJEKyJmI3Lf/3x0RMP/2BNHXkyaEr/sbvVBnhZ80tEEO2oHexHoDsHjMyjPoBJ t5r2wBfEP5TLLXDRkiFvl1HQbhIK7JLgX/vIJwm8SOiNQduuN+Pyk6A60L6khB6z uHc7fgE3z7GVZwzeNcdWpItUAU3w+eE25QcJSZGfcaKXBvJIBkZ7T/5KzvkNBTGk J8x9Uy8xzmqykU3hkQV2M4LjI5VP75jiMlEfkKS5FDETJEStGVE3TOlpmKHcm/D9 Rt3cYrbfShnUcDQoFaysXfuyZazdNkQdlLicdD5jh2944CvLgZcdhKdRH1fDhgJd dY2qz76m53JrA+fVzx1fmZcfUojwKYr4auo9rkWYrEeU5lCBWcp26SMXj1VQ3itO PuxNWQeIq3urj0N+69MLwbZyKYUzh9RRGcRMrNqrIqx5UQKGeP3Tf4Pyy7Dflzes khwPVhR7Mgx8HeRJ4VcxUY77IN+wJTGEGB7ZLs0wKOqlaeX0O3Xb/QGohqmtk4g+ vt2xbRriZNVPUYkQBTX1RasG++WTejT1KcKon2+bM8bjgUSpxxmRjFcaMJTNrBUq 16+hc1hfsPNL+a4bUZOAPk4kByA+Ry3t5yZFcs+6DYz6Kg0dgc5OFpMvtHhCQ5TP OPBdh2RdnBV+FECafzjBg5nRjyeWpPZn0PmDH1s348Opnq9dZzpRYALnPyqgmYjl uQINBFzBgNgBEACpIXyhm7ZgHCvamAZoHKH/QsmJKREFZhMrl2jj806kUULXu8yG TtTbsYL48A2DsoWFViEP2SljdRoz4NtkGQUXNkNaRZuBS391XE1b5gQsFtKiNZO/ bDVw8ujNBIMJyGAPc0WdE92ga/LCteRiNtolmcNoItBgIBdLjFE/dokBTjUP/WrT 1GOO1IMMfZU4Zs0sQN9yJDMUsHzYrApFkpxrqwu0/JD0+7PgRfPxyrCYwaZoI6pR SeiciL79cpHsU3WLUgnHBzc/OdlPMrzjYkls1P4f+LsXGfaCC9uvuZF6KoQ6xVnm thPObxPmSr0lq3NbXOrUiYfsaj4oo5Aba2/fWQmGw4CfQfjflICqNO5OJWc+i4uM eCmtqOxIk32ED4q87ouLceQ55+tENkv4AqMWvRGpWz4zV1GsI8ZERPakWE2g9i8e kCO0aDIDM0n4bbr2cL0J5oUtcyt1A0DtKDpBcCDE+lyyLjJ7iVVddOR0nme6lTEc LxsUHgzaUrxGN7Mjt/yjP6XStB+4i8VUvScqK6+c82UcSiJT/Kw7M5Kr2RUPxJa+ oyHdQYUG52CYPBsE0bPZQYmzrJXUssTnGtjsQaEIKLiDPnDRa142vgIKNfVv96/p qAFY3xQ6Sd20ZSnAd8wl+1yoIjpLJLn6UwPvrXQKFCWyeQfiPGpnOcv5EQARAQAB iQI2BBgBCgAgFiEEbnwMq8CkPLpaAZjozDGcfn3UrQAFAlzBgNgCGwwACgkQzDGc fn3UrQBpdw/8CaAZbU6etDEGFqpRsoYFdwyaFMtPA1VWZtcSIZ1LBQvXymRikXG9 UmU/U4SgVZoGWk9yfsXY9KKmoskh0xPfZ/7NTPNS2Xs7Codn4x8wXdcG3j9rOO1X LVvgpngmDSlw+bRg7Bnu5DcBa/BbQA+ILdbgbzWdIbDq9+tE4Oh6L5v5SH5QmN0O KBIh6oEFOqbcMPxZo0zIJkpV+sap9kX9RwNw/ztHX4ey3/xYeZMcdvibVZDWo4Vd C9/QIVodRlC0xfitw8pGKpNLYy5zsJlvm69TfVZwi0XjW01plLhUJyFCpM52zjkw bGBptSb1tjgzOLFATL4TnxaI0UCNDmxXPDK2yNVzfzlKtPw7sJuW3YKgvVZP5BhL 7A637Gz2QtufCvIS/30BJybYkbSRWVtwZhmKrlyNr/66JLqMW1SnJ2Gx6otJXe41 bbQyXHUcNsEt82W4dRdmmx9/v3yauwlxID2eH+9xyIqVO8NYA0lG7WFoOo7COXOf McRMOM5y4mABiDqDnHvRlDM5VdlLPWxmIFHf93DYNHWTAI+ls6MD5vX+HSjrzQ8k iCtkEV8BgGBoRla3TkvUceAdOAb7WU8H8tf/ZapLxDzdbJyJ7jAO5uDWnXlhIOiD /dSTQ9HCqGKU4sTqGZM/dcTzB0MMlV2us5DMT+7trRWBOjTwDSqPX60= =0VW5 -----END PGP PUBLIC KEY BLOCK-----