Updated FreePBX Security Reporting Policy

Lorne Gaetz

Lorne Gaetz

The FreePBX team continues its project to phase out the Atlassian stack and streamline OSS efforts for documentation, issue reporting and coding. As part of this, we’re introducing a new Security Policy and a new mechanism for reporting security issues in FreePBX.

The official home of FreePBX Security is on GitHub at:

https://github.com/FreePBX/security-reporting/security

There you’ll find the current version of the security policy as well as this big green button:

To report a security issue with the FreePBX project, just login to GitHub, browse to the URL linked above and hit the “Report a vulnerability” button. From there you will get a form to fill out with details of the security issue. Please provide a description of the problem with as much information as possible including such details as:

  • The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, unauthenticated access)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit the issue

GitHub has robust features for security reporting, and we’ll be leveraging these for ensuring smooth communication to the reporter, for publishing details once the reported issue has been resolved, and for applying for CVEs if applicable.

With this announcement, we are officially abandoning all previous security reporting mechanisms, including the email addresses formerly published for this purpose. 

The Policy

In addition to the reporting mechanism, the official policy for dealing with security issues in FreePBX will also live on GitHub at the above link. It may change from time to time, and when it does, the policy page on GitHub will be updated to reflect these changes and changes will be promoted in the usual places.

There are no major changes to the security policy; here are the highlights:

  • The FreePBX team will generally accept security issues when demonstrated on any currently supported major version that is up to date.
  • Issues related to misconfigured systems or systems that are not securely configured may not be accepted.
  • The team will respond to the initial report within three US business days. Reported issues, when accepted, can be expected to be resolved within 60 days, but may take longer depending on circumstances. 
  • The reporter will be kept up to date with the GitHub security report.
  • Once resolved, notification will be distributed in the usual fashion, and will be published and viewable on GitHub.
  • As always for FreePBX security issues, Sangoma continues to maintain its longstanding Bug Bounty program. At Sangoma’s discretion, reporters may be compensated for their reports.

Please take a moment to review the policy in full. As stated above, the official home of the policy lives on GitHub. I’ve been updating the FreePBX wiki to refer to this page, but it’s possible there are still references to the old reporting method(s) in the wiki or published elsewhere. Wiki updates can be requested via the issue tracker, or by starting a thread on the FreePBX Forum.

Share this Blogpost

Start the Discussion

Sign up for our Newsletter

Scroll to Top