Versions Compared

Old Version 1

changes.mady.by.user Nathaniel Halbrooks

Saved on

compared with

New Version Current

changes.mady.by.user Lorne Gaetz (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

FreePBX takes security vulnerabilities very seriously. If you think you have discovered a vulnerability please email security@sangoma.com at your earliest convenience and a staff member will reply to you as soon as possible. 

If you think you have found a security vulnerability in FreePBX,  we would love to work with you to get it resolved!

First Contact

The first thing for you to do is to email security@sangoma.com, and please include as many details as possible. This includes such things as code snippets and a proof of concept (if you have one). We will evaluate the report and send a non-automated response within 3 (US) business days.

This follow-up may request additional information and require additional time for evaluation if enough detail was not originally supplied.  Once verified a private issue will be created visible only to staff and you as the reporter. You will need an account on http://issues.freepbx.org.

Investigation and Resolution

The time this takes will vary greatly based on the amount of detail provided and the ultimate complexity of the issue. The goal is to verify and resolve issues as quickly as possible but there is no guaranteed amount of time. The goal for the entire process is to be at or below Google's Project Zero standard of 60 days, but we expect to be able to work with the CERT standard of 45 days from report to full public disclosure. 

Initial Public Disclosure

Once an issue has been verified and fixed an abstract public disclosure will be released. This disclosure will have the following items:

  1. Name of component affected

  2. Affected versions

  3. Fixed versions

  4. Credit to the person who discovered the issue (if permitted by the researcher)

  5. A CVE if available.

This disclosure will be made via our wiki (http://wiki.freepbx.org), Our Forums (http://community.freepbx.org) and through social media such as http://twitter.com/FreePBX. 

Mitigation Period

A minimum mitigation period of 14 days is normally requested to allow the public to act on the information and update as necessary to resolve the reported issue.

Full Disclosure

After the agreed on mitigation period has expired, the reporter may make public full details including proof of concepts and other data to various mediums. Functional details of the exploit will not be released (by us) on our wiki, forums or issue tracker. 

Fixed Versions

Current stable, unreleased future versions, and one major release behind will receive security updates.

When possible issues will be fixed as far back as practical, but this may not be practical.

Exploits for older versions may not be fixed. It is recommended that users run on the latest version of FreePBX.

Bounty

...

Info

2024-03-11 The FreePBX security reporting policy outlined here supersedes all previous reporting methods including email.

The official home of security policy and reporting for FreePBX is on GitHub here:

https://github.com/FreePBX/security-reporting/security

The official security policy is published on GitHub at the above linked repo. The policy is reproduced in part in this wiki for convenience, but where the wiki content here differs from the official policy on GitHub, the GitHub source governs.

Reporting a Security Issue

If you believe you have found a security vulnerability please report it to us through the Security reporting process on GitHub linked above.

Use the "Report a vulnerability" button at the top of the FreePBX Security Reporting repository.

Please do not report security vulnerabilities through any other mechanisms, including email addresses formerly published for this purpose, or by opening a normal bug issue.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

  • The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, unauthenticated access)

  • Any special configuration required to reproduce the issue

  • Step-by-step instructions to reproduce the issue

  • Proof-of-concept or exploit code (if possible)

  • Impact of the issue, including how an attacker might exploit the issue

  • FreePBX, Asterisk and Operating System versions

This information will help us triage your report more quickly.

We will generally not accept a Security report unless it can be demonstrated on a currently supported major version.

Timeline

We aim to initially respond to security vulnerability reports within 3 US business days. We aim to resolve security vulnerability reports within 60 US business days, but may need additional time to be able to do so.

Policy Updates

The official security reporting policy is published on GitHub at

https://github.com/FreePBX/security-reporting/security

This policy may be updated at any time with full history viewable on GitHub.