SECURITY REPORT

We take security very seriously. If you have discovered a security vulnerability in one of our projects and you would like to report it to us, you can send an encrypted message to our Security Entry Point at sep@nlnetlabs.nl. We do not pay <#scope-and-rewards> out bug bounties.

To encrypt your message, GnuPG is available as free and open source software.

Please allow us a reasonable timeframe to formulate a response and do not send security issues to public lists. If desired, we will fully credit the reporter.

If a flaw is found we intend to provide security patches, for free, to the general public. In addition, we strive to be transparent about the nature, cause and impact of security flaws. Since the announcement of a security flaw may trigger the creation of exploits, we strive to balance transparency about flaws with the impact exploits might have on the Internet and its users.

We will follow specific internal guidelines, though circumstances may force us to not apply this policy in full. End of support for the software by NLnet Labs will be publicly announced two years in advance. All security vulnerabilities will be identified with dedicated CERT vulnerability tracking numbers.

In general, the security patches are distributed according to the following priority:

  1. Customers with a Gold support contract and the party that reported the vulnerability, under non-disclosure
  2. Special Interest groups, under non-disclosure. These are entities that operate our project in an environment that is critical to the general public, as well as known Open Source platform Operating System maintainers
  3. Customers with a Silver support contract, under non-disclosure
  4. Customers with a Bronze support contract, under non-disclosure
  5. The general public

With regards to these five groups, we will take the following considerations:

  • The time scale on which publish/distribute security patches differently depending on the nature of the security issue. If the issue is widely known or exploited at the moment we have developed a patch (zero day) we intend to release the patch as soon as possible to the widest audience possible, which collapses stages 1 through 5 above to the order of days.
  • If the issue is not yet public, we intend to release security patches to the general public on a short timescale, in the order of weeks.
  • If we cannot find a fix for the security vulnerability, we obviously cannot provide code and may seek assistance. In order to prevent zero-day exploits information about (the existence of) these types of vulnerabilities may only be shared under non-disclosure with category 1, and if circumstances dictate with category 2.
  • We provide patches for the latest released software version i.e. the latest major, minor, patch level release.
  • In general, we provide support for the previous major release for one year after its deprecation. We therefore also provide security patches for major releases from one year past. A major release is the increment in the first version number.

Please keep in mind that our projects are made available under the BSD or Mozilla public license and come with ABSOLUTELY NO WARRANTY.

Scope and rewards

If you have bug report without security impact, please use the public issue tracking available for each project on GitHub. Feedback about our website, or any other feedback can be sent to us via labs@nlnetlabs.nl.

We are a non-profit organisation dedicated to creating and maintaining open source software for the community, completely free of charge, and warmly welcome any reports of vulnerabilities for our software. We do not offer monetary compensation for your report, nor do we offer a bug bounty program. We do credit reporters when releasing fixes.

Security Entry Point Security Key

Key ID: CC31 9C7E 7DD4 AD00
Key Type: RSA
Key Size: 4096
Fingerprint: 6E7C 0CAB C0A4 3CBA 5A01  98E8 CC31 9C7E 7DD4 AD00
User ID: Security Entry Point <sep@nlnetlabs.nl>

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFzBgNgBEADLyZVMshj52hHncd1W1ac/gAYmM059RCaoPWW9aha5XuvxYOSL
qKDVAAFmKLPp988PGx/igHCG9jNYkL3m/2pNm9aPxkfyaz1O99yBX4V1O+D8GOhi
cFOs9gduPXfWcC3wA07Nj4rh8Kgbpp8AxgnQm00F05zCOgzrvskEybtk3nTmFCZZ
q0SQWuNeWL2U/cE3qTySOrJ36VXrBuADc3qpEqCMhLu+gMpBzxzge8IQTsGsuBgL
SY/Y8KOlIsbmB6NGb7yRAx56MRXL4NxNUDSnofskqu0HlH/8nWc8zz+Hn+O80XwK
/hZucpNUp1aM+3wegB2w7heva504wMWJOFnJ4VDi0JjVLbCLA267+w7dU0Vou0XX
ygYRPKNQLeqhPUYRNBW3R3Zv8lnaPljBUUJYT/qLb4wDSUxiTmGKluFc9kM/Pnb9
V8FX355JQ4l4Bl0Uy2GbNDUmJKE5W4JmEqkzlg9vMOo1TKiKPCUP7zyW69Vdt5gQ
5eQ8CdNXFg1AKx5/Gw/LGzh2FgyinT5TadYfisJP9GcJW2ZYnzXQQtzz64bKVm1b
9Ybl3JvD3O5dsu0AZ+vPKJwgKsxCDu25RqUKqcTFIONDGUeQtAgWYdAVxfoia+sI
W57Rl9dBLQDU+a/KsA2VpZpQwLf95PzJZ4V6TDKxU7Anq4Eu8RhT1Heg+wARAQAB
tCdTZWN1cml0eSBFbnRyeSBQb2ludCA8c2VwQG5sbmV0bGFicy5ubD6JAk4EEwEK
ADgWIQRufAyrwKQ8uloBmOjMMZx+fdStAAUCXMGA2AIbAwULCQgHAwUVCgkICwUW
AgMBAAIeAQIXgAAKCRDMMZx+fdStAP1sD/9UMLA4yPplogGruIwd8dL1NyS/I72H
oDuPk2PJ9qdRHq+4fll8NLB9mfFo+sZvcSfR7UK05NnMEV7pGefKRpAuidfR0AKU
yf5a1yUasF5Ivh5pX6M+KcswscurrPCZqFRjItzfQ+sIl7c+f40sV40qk1lVRO5t
p2aQacRUoKDaO2qhc7K3arvz8IXYfPbonUcbGK3+hFP6/Ag4bAzxw33CoPpD+Rpd
x7Ik5/ng6QLFVM5n6cQGGdzSnHuihoOl5L0kqI/D3Z8a3BoFr451u2EPekzQ0n1c
iUHWNtwqs8OgEJPmhFDebV1eGgduIoL8X3x01DAYB29hR7SvZX4J1SC+Jwlt3UE0
qRA1j6W4flZFMf9L/GNA4Llz0xstB3O3jDdt1WXN/k2loTyipcxJL2afxabJwqAC
YFE38vqIBzJ0OTNV6guUg/NDfblRlCkZaBctnQLkV7LRoXwaR5w7AUMeHmZ8Az8U
rDR27q0v6SsGfEYZfKNmX6qM8lWShp1DD3wLJeK9BIn291RqMOzBxz64TASXjhGX
VHLNYSTvQzFsDn2FMlcO+F0vFEF0c77QXbwYMPhs9LsPnU2dV6qhOvFppfr5nfKc
xSI8ALPYLEVrmJe+pIU3j07F+c56Z7gXejywRA0qhHXwRntoOp0NKPGRmY3tLbyg
+D6COT/1X+aF/4kCMwQQAQoAHRYhBLflxeOG3VADrVcT4KyJmI3Lf/3xBQJcwYZm
AAoJEKyJmI3Lf/3x0RMP/2BNHXkyaEr/sbvVBnhZ80tEEO2oHexHoDsHjMyjPoBJ
t5r2wBfEP5TLLXDRkiFvl1HQbhIK7JLgX/vIJwm8SOiNQduuN+Pyk6A60L6khB6z
uHc7fgE3z7GVZwzeNcdWpItUAU3w+eE25QcJSZGfcaKXBvJIBkZ7T/5KzvkNBTGk
J8x9Uy8xzmqykU3hkQV2M4LjI5VP75jiMlEfkKS5FDETJEStGVE3TOlpmKHcm/D9
Rt3cYrbfShnUcDQoFaysXfuyZazdNkQdlLicdD5jh2944CvLgZcdhKdRH1fDhgJd
dY2qz76m53JrA+fVzx1fmZcfUojwKYr4auo9rkWYrEeU5lCBWcp26SMXj1VQ3itO
PuxNWQeIq3urj0N+69MLwbZyKYUzh9RRGcRMrNqrIqx5UQKGeP3Tf4Pyy7Dflzes
khwPVhR7Mgx8HeRJ4VcxUY77IN+wJTGEGB7ZLs0wKOqlaeX0O3Xb/QGohqmtk4g+
vt2xbRriZNVPUYkQBTX1RasG++WTejT1KcKon2+bM8bjgUSpxxmRjFcaMJTNrBUq
16+hc1hfsPNL+a4bUZOAPk4kByA+Ry3t5yZFcs+6DYz6Kg0dgc5OFpMvtHhCQ5TP
OPBdh2RdnBV+FECafzjBg5nRjyeWpPZn0PmDH1s348Opnq9dZzpRYALnPyqgmYjl
uQINBFzBgNgBEACpIXyhm7ZgHCvamAZoHKH/QsmJKREFZhMrl2jj806kUULXu8yG
TtTbsYL48A2DsoWFViEP2SljdRoz4NtkGQUXNkNaRZuBS391XE1b5gQsFtKiNZO/
bDVw8ujNBIMJyGAPc0WdE92ga/LCteRiNtolmcNoItBgIBdLjFE/dokBTjUP/WrT
1GOO1IMMfZU4Zs0sQN9yJDMUsHzYrApFkpxrqwu0/JD0+7PgRfPxyrCYwaZoI6pR
SeiciL79cpHsU3WLUgnHBzc/OdlPMrzjYkls1P4f+LsXGfaCC9uvuZF6KoQ6xVnm
thPObxPmSr0lq3NbXOrUiYfsaj4oo5Aba2/fWQmGw4CfQfjflICqNO5OJWc+i4uM
eCmtqOxIk32ED4q87ouLceQ55+tENkv4AqMWvRGpWz4zV1GsI8ZERPakWE2g9i8e
kCO0aDIDM0n4bbr2cL0J5oUtcyt1A0DtKDpBcCDE+lyyLjJ7iVVddOR0nme6lTEc
LxsUHgzaUrxGN7Mjt/yjP6XStB+4i8VUvScqK6+c82UcSiJT/Kw7M5Kr2RUPxJa+
oyHdQYUG52CYPBsE0bPZQYmzrJXUssTnGtjsQaEIKLiDPnDRa142vgIKNfVv96/p
qAFY3xQ6Sd20ZSnAd8wl+1yoIjpLJLn6UwPvrXQKFCWyeQfiPGpnOcv5EQARAQAB
iQI2BBgBCgAgFiEEbnwMq8CkPLpaAZjozDGcfn3UrQAFAlzBgNgCGwwACgkQzDGc
fn3UrQBpdw/8CaAZbU6etDEGFqpRsoYFdwyaFMtPA1VWZtcSIZ1LBQvXymRikXG9
UmU/U4SgVZoGWk9yfsXY9KKmoskh0xPfZ/7NTPNS2Xs7Codn4x8wXdcG3j9rOO1X
LVvgpngmDSlw+bRg7Bnu5DcBa/BbQA+ILdbgbzWdIbDq9+tE4Oh6L5v5SH5QmN0O
KBIh6oEFOqbcMPxZo0zIJkpV+sap9kX9RwNw/ztHX4ey3/xYeZMcdvibVZDWo4Vd
C9/QIVodRlC0xfitw8pGKpNLYy5zsJlvm69TfVZwi0XjW01plLhUJyFCpM52zjkw
bGBptSb1tjgzOLFATL4TnxaI0UCNDmxXPDK2yNVzfzlKtPw7sJuW3YKgvVZP5BhL
7A637Gz2QtufCvIS/30BJybYkbSRWVtwZhmKrlyNr/66JLqMW1SnJ2Gx6otJXe41
bbQyXHUcNsEt82W4dRdmmx9/v3yauwlxID2eH+9xyIqVO8NYA0lG7WFoOo7COXOf
McRMOM5y4mABiDqDnHvRlDM5VdlLPWxmIFHf93DYNHWTAI+ls6MD5vX+HSjrzQ8k
iCtkEV8BgGBoRla3TkvUceAdOAb7WU8H8tf/ZapLxDzdbJyJ7jAO5uDWnXlhIOiD
/dSTQ9HCqGKU4sTqGZM/dcTzB0MMlV2us5DMT+7trRWBOjTwDSqPX60=
=0VW5
-----END PGP PUBLIC KEY BLOCK-----