Security

As one would expect from a security project, OpenVAS takes the security of the project and the software components we develop very seriously. Whilst we are comfortable with the idea of full disclosure and operate a public bug tracker and development mailing list through which the public at large can communicate with project developers regarding any concerns relating to the project, we also recognise that many security researchers feel more comfortable with the concept of responsible and co-ordinated disclosure.

Vulnerability handling process

An overview of the vulnerability handling process is:

• The reporter reports the vulnerability privately to OpenVAS.
• The appropriate component's developers works privately with the reporter to resolve the vulnerability.
• A new release of the OpenVAS component concerned is made that includes the fix.
• The vulnerability is publicly announced.

Security contacts

• security@openvas.org

Please note that we do not use a team OpenPGP key. If you wish to encrypt your e-mail to security@openvas.org then please use the OpenPGP keys of the members of the OpenVAS Steering Team and be aware that it may take us a little longer to respond to the issue.

Published advisories

• OVSA20110118
• OVSA20121112
• OVSA20131108
• OVSA20141128
• OVSA20160113
• OVSA20160202