-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Vulnerability Reporting
Per our security policy, all potential vulnerabilities must be reported via email to [email protected]
.
Initial triage of vulnerability reports is handled by the NetBox Labs support team, and valid reports are forwarded to the NetBox maintainers team for further investigation. A NetBox maintainer will then:
- Validate the reported vulnerability
- Determine its impact and severity
- Create a (private) draft GitHub security advisory
- Coordinate with other maintainers to devise and implement a solution
Once implemented, the solution will be shipped in the next stable release of NetBox. Particularly severe issues may warrant immediately releasing a new version of NetBox. Security advisories will be published after a stable release containing the fix has been available for some time.
Please note that we do not issue or respond to CVEs, as these reports are entirely unmoderated and often inaccurate, redundant, and/or overstated with regard to actual impact on the product. (This article explores the challenges of dealing with nuisance CVEs.)