The official home of security policy and reporting for FreePBX is on GitHub here:
https://github.com/FreePBX/security-reporting/security
The official security policy is published on GitHub at the above linked repo. The policy is reproduced in part in this wiki for convenience, but where the wiki content here differs from the official policy on GitHub, the GitHub source governs.
Reporting a Security Issue
If you believe you have found a security vulnerability please report it to us through the Security reporting process on GitHub linked above.
Use the "Report a vulnerability" button at the top of the FreePBX Security Reporting repository.
Please do not report security vulnerabilities through any other mechanisms, including email addresses formerly published for this purpose, or by opening a normal bug issue.
Please include as much of the information listed below as you can to help us better understand and resolve the issue:
The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, unauthenticated access)
Any special configuration required to reproduce the issue
Step-by-step instructions to reproduce the issue
Proof-of-concept or exploit code (if possible)
Impact of the issue, including how an attacker might exploit the issue
FreePBX, Asterisk and Operating System versions
This information will help us triage your report more quickly.
We will generally not accept a Security report unless it can be demonstrated on a currently supported major version.
Timeline
We aim to initially respond to security vulnerability reports within 3 US business days. We aim to resolve security vulnerability reports within 60 US business days, but may need additional time to be able to do so.
Policy Updates
The official security reporting policy is published on GitHub at
https://github.com/FreePBX/security-reporting/security
This policy may be updated at any time with full history viewable on GitHub.