security.html

<!DOCTYPE html>
<html lang="en">

    <!-- HEAD -->
    <head>
        <meta charset="utf-8">
        <title>Security | TCPDUMP &amp; LIBPCAP</title>
        <meta name="description" content="Web site of Tcpdump and Libpcap">
        <link href="style.css" rel="stylesheet" type="text/css" media="screen">
        <link href="images/T-32x32.png" rel="shortcut icon" type="image/png">
    </head>
    <!-- END OF HTML HEAD -->

    <!-- BODY -->
    <body>

        <!-- TOP MENU -->
        <div id="menu">
            <ul>
                <li><a href="index.html">Home</a></li>
                <li class="current_page_item"><a href="security.html">Security</a></li>
                <li><a href="faq.html">FAQ</a></li>
                <li><a href="manpages/">Man Pages</a></li>
                <li><a href="ci.html">CI</a></li>
                <li><a href="linktypes.html">Link-Layer Header Types</a></li>
                <li><a href="related.html">See Also</a></li>
                <li><a href="old_releases.html">Old Releases</a></li>
                <li><a href="thanks.html">Thanks!</a></li>
            </ul>
        </div>
        <!-- END OF TOP MENU -->

        <!-- PAGE HEADER -->
        <div id="splash">
            <br><img src="images/logo.png" alt="">
        </div>
        <div id="logo">
            <hr>
        </div>
        <!-- END OF PAGE HEADER -->

        <!-- PAGE CONTENTS -->
        <div id="page">

                <div class="post">
                    <h2 class="title">
                        CVE Numbering Authority
                    </h2>
                    <div class="entry">
                        <p>
                          The Tcpdump Group
                          <a class=away
                          href="https://www.cve.org/PartnerInformation/ListofPartners/partner/Tcpdump">
                          participates</a> in MITRE's CVE Program as a
                          <abbr title="CVE Numbering Authority">CNA</abbr> with the
                          scope limited to tcpdump
                          and libpcap vulnerabilities.  Any involvement with
                          vulnerabilities in other software can be considered on
                          a case by case basis only if the software is closely
                          related to packet capture and analysis and if the case
                          does not belong to the scope of another CNA.
                        </p>
                    </div>
                </div>

                <div class="post">
                    <h2 class="title">
                        Security Contacts and Vulnerability Disclosure Policy
                    </h2>
                    <div class="entry">
                        <p>
                          All vulnerabilities <strong>must</strong> be
                          reported to The Tcpdump Group via
			  <a href="mailto:security@tcpdump.org">security@tcpdump.org</a>.
                          Please try to keep as close to a responsible disclosure
                          process as is reasonably practicable.  Vulnerabilities
                          that have been deliberately made public by the reporter
                          will <strong>not</strong> be credited.
                        </p>
                        <p>
                          Vulnerabilities will be disclosed to the
                          public at the next release of the software that experiences
                          the problem.
                        </p>
                        <p>
                          As a volunteer-run open source software organization, The
                          Tcpdump Group can not promise to release within a set
                          period like 90 days.
                        </p>
                        <p>
                          The Tcpdump Group aims to release at least once a year.
                          This is a best effort commitment.  We will attempt to
                          ship more often but this will depend upon
                          availability of volunteer time and the amount of other
                          work in need of attention.
                        </p>
                        <p>
                          Each release will do its best to credit the
                          reporter with the identifying of the vulnerability.
                          Each confirmed unique issue that applies to a release
                          will be assigned a CVE number at
                          the time of reporting.  You can find a list of the most
                          recently processed CVEs <a href="public-cve-list.txt">here</a>.
                        </p>
                        <p>
                          Bug reports should include a sample <code>.pcap</code> (or
                          <code>.pcapng</code>) file that demonstrates the problem.
                          An effort will be made to keep the sample file
                          confidential until the bug has been fixed. Once
                          fixed, the sample file is expected to be released
                          publicly as part of a test case.
                        </p>
                    </div>
                </div>
        </div>
        <!-- END OF PAGE CONTENTS -->

        <!-- FOOTER -->
        <div id="footer">
            <p>
                This web site is &copy; 1999&ndash;2026 The Tcpdump Group
                (<a href="https://github.com/the-tcpdump-group/tcpdump-htdocs/blob/master/README.md">more
                information</a>).
            </p>
        </div>
        <!-- END OF FOOTER -->

    </body>
    <!-- END OF HTML BODY -->
</html>