As one would expect from a security project, OpenVAS takes the security of the project and the software components we develop very seriously. Whilst we are comfortable with the idea of full disclosure and operate a public bug tracker and development mailing list through which the public at large can communicate with project developers regarding any concerns relating to the project, we also recognise that many security researchers feel more comfortable with the concept of responsible, partial or co-ordinated disclosure. To that end, we have updated our vendor dictionary entry on OSVDB and published this page to give an alternate work flow through which vulnerabilities can be disclosed.
Vulnerability handling process
An overview of the vulnerability handling process is:
- The reporter reports the vulnerability privately to OpenVAS.
- The appropriate component's developers works privately with the reporter to resolve the vulnerability.
- A new release of the OpenVAS component concerned is made that includes the fix.
- The vulnerability is publically announced.
Please note that we do not use a team OpenPGP key. If you wish to encrypt your e-mail to firstname.lastname@example.org then please use the OpenPGP keys of the members of the OpenVAS Steering Team and be aware that it may take us a little longer to respond to the issue.