SECURITY REPORT

We take security very seriously. If you have discovered a security vulnerability in one of our projects and you would like to report it to us, you can send an encrypted message to our Security Entry Point at sep@nlnetlabs.nl. We do not pay out bug bounties.

To encrypt your message, GnuPG is available as free and open source software.

Please allow us a reasonable timeframe to formulate a response and do not send security issues to public lists. If desired, we will fully credit the reporter.

If a flaw is found we intend to provide security patches, for free, to the general public. In addition, we strive to be transparent about the nature, cause and impact of security flaws. Since the announcement of a security flaw may trigger the creation of exploits, we strive to balance transparency about flaws with the impact exploits might have on the Internet and its users.

We will follow specific internal guidelines, though circumstances may force us to not apply this policy in full. End of support for the software by NLnet Labs will be publicly announced two years in advance. All security vulnerabilities will be identified with dedicated CERT vulnerability tracking numbers.

In general, the security patches are distributed according to the following priority:

  1. Customers with a Gold support contract and the party that reported the vulnerability, under non-disclosure
  2. Special Interest groups, under non-disclosure. These are entities that operate our project in an environment that is critical to the general public, as well as known Open Source platform Operating System maintainers
  3. Customers with a Silver support contract, under non-disclosure
  4. Customers with a Bronze support contract, under non-disclosure
  5. The general public

With regards to these five groups, we will take the following considerations:

  • The time scale on which publish/distribute security patches differently depending on the nature of the security issue. If the issue is widely known or exploited at the moment we have developed a patch (zero day) we intend to release the patch as soon as possible to the widest audience possible, which collapses stages 1 through 5 above to the order of days.
  • If the issue is not yet public, we intend to release security patches to the general public on a short timescale, in the order of weeks.
  • If we cannot find a fix for the security vulnerability, we obviously cannot provide code and may seek assistance. In order to prevent zero-day exploits information about (the existence of) these types of vulnerabilities may only be shared under non-disclosure with category 1, and if circumstances dictate with category 2.
  • We provide patches for the latest released software version i.e. the latest major, minor, patch level release.
  • In general, we provide support for the previous major release for one year after its deprecation. We therefore also provide security patches for major releases from one year past. A major release is the increment in the first version number.

Please keep in mind that our projects are made available under the BSD or Mozilla public license and come with ABSOLUTELY NO WARRANTY.

Scope and rewards

If you have bug report without security impact, please use the public issue tracking available for each project on GitHub. Feedback about our website, or any other feedback can be sent to us via labs@nlnetlabs.nl.

We are a non-profit organisation dedicated to creating and maintaining open source software for the community, completely free of charge, and warmly welcome any reports of vulnerabilities for our software. We do not offer monetary compensation for your report, nor do we offer a bug bounty program. We do credit reporters when releasing fixes.

OpenPGP key

The OpenPGP key can be copied from below or downloaded here.

Key ID: BAE5 570A 6390 ADE6
Fingerprint: 9461 F444 EAC6 A4FE E985 BEC6 BAE5 570A 6390 ADE6
User ID: NLnet Labs security G2 <sep@nlnetlabs.nl>

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGc7Hu8BDADDSLOaWsNJLEaZMtyjpg/u9Z9Q2pw/Nfl02k7o/TxcRCx5QGT2
77S/zoNS2b8bpOenCafMx9gt6j3xFYIfWrhYO44ACFjrWyT6VQkutxJm0zkTTSOR
caySyAGbDLfdR2WDedr4S3zFe4uZcDe7cLC7X0YfJzBCiv7rZ9GPNQ3kdR8Yz563
jCoNrSgVXucwjXt1g+kDuuD7RxSRXFP1IoJjNOv/5EZDrqFPlN3L4VJHbsTtGN1U
rQWzoncoeHEcQ4YIcXRi7NaVbQu/Byisa9W9DyjrFrNoCzjPbsiNu79EkUZOQ4l5
e/h/SGRVXMfZr7V6K14vLmkHVXjzXPYMndRJdjeG89kqorEIrs5tAikkHty1Kp68
36bQUm5IrtbhHX5sZdvKc59+bLOC4Qw5nrwe/oIKz7hJQkV/jxDC0mVIY0rzvWjP
wdbIOpsAq+rSgP3JEeQpdsv4th1ee19rkTikF2RdQoZhJX5kvL1XWhLKtGsuquWf
dZbpK65ekW0DFDkAEQEAAbQpTkxuZXQgTGFicyBzZWN1cml0eSBHMiA8c2VwQG5s
bmV0bGFicy5ubD6JAc4EEwEKADgWIQSUYfRE6sak/umFvsa65VcKY5Ct5gUCZzse
7wIbAQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC65VcKY5Ct5k7GC/9yaJgb
GC4RzmzMkOv4oLbNYMpjc6baHwyFGozqdA9s9o0oLKs4ewtx0wjwvcClyC/0bww6
LPXlDnhy1Rhtztnj6h0/imd5Wx4PfJwVDhH0bTxEySNoxmTSLyJmsnKHSK3Fmbqe
bKjGhpgk5LEdfQByZhhAzg4rgrJFNLkXJz/JI981bMG9sNFz1CB3M5L/IPwCrrSh
m+wYJowdj6ecFZwhF0b2NpHr3oXK8tty4C31s/0t2QYBngGli58DFJml/pak73yV
V7R+ZbqzrwOp6nCSp8rqzKBK3xK0pyCF2rVR6FLOYMnMAJ25jv0s871tV2V62nPP
NPdT3rtPS5L6kSq2o+DSh6Mr+IW8qPjTv9/KoYJUop+avOfhpSzETREp6Ivs2Vqm
+E0XgIx0yk2RLC5ThpPYLhLmOq10ho2xu4taFu9TK5WlbZRVOycS2XD9dzuMdPGg
TG7gmwRKc81cpwjXQADVA6OQ7ZQFWvQ0qSWvBdWWh/iZWqJsD8OSxdTBdBeJAjME
EAEKAB0WIQRufAyrwKQ8uloBmOjMMZx+fdStAAUCaS2RTQAKCRDMMZx+fdStAAfQ
D/0bwVcfmuE1KwNkcSL9mqL93fU6qizMfq8IncLEHQngBuz9GBe47/MaQeiM1mIf
Xj47S0nplow/y3VDaZOitjjR59utQhkNRMptEUOXj+FGCmqDsDXuDPZxwy/C/XiJ
M868beSAyqz035QWwnBiclqsmEcs4wjGe8Z+ZoOX8O6yGx9bscTwEHdr6iYJmv1C
A7LbsNh3i0TE4NCDtr+8bla4Q7/8AIaNLOPmpvwmKau9drqcEuPHgDHk4EJarr8J
kgR7s1dX6V+bGU62Wg/2FsuWK+cdC5rxs0Bm3O0jioiTsQcImAQDQPLqMzIrrLn1
LZXJsRH9F2Fuk/E1Axn4Ycvl9amAklZmrnqwE6OYj0txZwdNVJ4zhYvs7OUGtIKA
AusgpFp1kmyTgLkg4nDxW1rTueIAdx3t5/fUZewWieA3/UAWdWwxGqCGlhJ7LWqT
IEe57tfTT4YrQmunH0s+Rqh8HyYTYsvB01R9rX8Q8SZqB4c78HLpepfY/yeacSJG
pZWbznVTtRUsBySa8OF3xVbIw6ge22ZnXlZkOWJhVbJ53xw+4eewFG2nRzig0Pu2
g1PtzStBNALlfcmYZHvuMc8SkfX6Yj7LbITBq3uwNEJI/xorXD3yrRxmmXB03A9P
SH+fy5RJl7TVVsSKV/iVgyb4uRecf6v37dIhglqaLRi0JLkBjQRnOx7wAQwAyrb/
5J6H6wLWnkywfHDhuInVnxgrF0tnBNpquHdNGRdmilfGdz/hTc1Msaflzz+nt26c
em1zJ65hU8+18AHwIpCbDM+9c+LsJcAIe768t1MB5Zb3mgweMxGvOTJfPzvYlfzk
/sY4irMtasyVgusIcy4Bu3dxyRzLPtkoEROo5zuqXKdNZUQCdczhnBWhEl32u6MM
m05FR4GR1CMKgsB+4P3dS0W4nwXersWIHDiosgFVexcekwoLau1KngoAwLY+lSxu
mhOGOuZOYj8Vw3RtuU+wutGo3vsOIBbeVS36UPRcEwnxQzyjirgqQ8GAnjICebS1
EuIV/i9t377GB7LilbEETMXPI/pgdJyfBIYqcOOgB2VVYk/oQ/UwjNc2PuYPGXh3
aCnFw0zX123WqhUYIm0kA17hWCWUodHdipj8F/fxZd1Lg7MGs+Ize+jKn0vT08Xu
fbXZw4dNL71O+xHAW7yj0NXyhqyq3CDFhyrRsK6GasM5saPTrafn8ucmE4JTABEB
AAGJAbYEGAEKACAWIQSUYfRE6sak/umFvsa65VcKY5Ct5gUCZzse8AIbDAAKCRC6
5VcKY5Ct5rSHDACECIGQUNtkuYjWaJZGASanSoYi0SQyiHTs9OO47iN2tm+UmsQD
YVMKCJc4VaF41f+5Cb79aKc+349/3DuoJH2hdWL2ZUS2YKEsDIkKRS1vfoVld68p
Kj2KZTmZLzkTBsNohQY9WMGHeZo0xM+JL4n2JlSj7WAacEFW91Rin8ZBBWwJjmd4
CiipmLczPPIfzeTXdLwUXlTwNoUKev9av9YiVAEdrTKxBeOFF8vSmFPbIyypDJEe
jfOPt8gckSJFDDw/rm6ONIVXTRQ3dxo9DLUR+x0YDWBlGbk1Q0or4qrrnB7yvfA+
qxPsLZLfuKpxqKMW71DE9xHNH1jsBEUVoQF5v4eQxqJnd9oGAaHSRFgQzhjbxgIa
b8s/6HyDx0a7HkpsYlNY9s38Jm3v4iRegfQozzlQXtCQH8lPmqDcKzDSGo0b9E1B
jfWYNGIalFXJTxUPx9DZlGU2dEPoLWuHYu6S0DBI8i4BZxV6idSNlerEFWYWQ9Cf
VO2/tL9Ua6nfl7o=
=j4Ca
-----END PGP PUBLIC KEY BLOCK-----