English | Deutsch
Home » About OpenVAS

Security

As one would expect from a security project, OpenVAS takes the security of the project and the software components we develop very seriously. Whilst we are comfortable with the idea of full disclosure and operate a public bug tracker and development mailing list through which the public at large can communicate with project developers regarding any concerns relating to the project, we also recognise that many security researchers feel more comfortable with the concept of responsible, partial or co-ordinated disclosure. To that end, we have updated our vendor dictionary entry on OSVDB and published this page to give an alternate work flow through which vulnerabilities can be disclosed.

Vulnerability handling process

An overview of the vulnerability handling process is:

OpenVAS has good contacts with oss-security, oCERT and the OSVDB and can request a CVE where necessary.

Security contacts

Please note that we do not use a team OpenPGP key. If you wish to encrypt your e-mail to security@openvas.org then please use the OpenPGP keys of the members of the OpenVAS Steering Team and be aware that it may take us a little longer to respond to the issue.

Published advisories