Reporting a security issue

Please report to us any issues you find. This document explains how to do that and what to expect in return.

All security bugs in the GNOME project should be reported using this form. The contents of this form are delivered to a small security team. Your submission will generally be acknowledged within one business day, and you’ll receive a more detailed response to your email within five business days indicating the next steps in handling your report.

After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement.

If you have not received a reply to your email within two business days or you have not heard from the security team for the past five business days please contact the GNOME staff at: info (at) gnome.org

Flagging existing issues as security-related

If you believe that an existing issue in a GNOME project is security-related and you are not the original submitter, we ask that you contact the maintainer to change the issue confidentiality. You can also use the form below to contact the security team; the message should include the project and issue ID, and a short description of why it should be handled according to this security policy.

Disclosure

The GNOME project uses the following disclosure process:

  • Once the security report is received, it is assigned to the project maintainer as its primary handler. The maintainer coordinates the fix and release process.
  • The issue is confirmed and a list of affected software is determined.
  • Code is audited to find any potential similar problems.
  • If it is determined, in consultation with the submitter, that a CVE is required, the submitter obtains one via cveform.mitre.org.
  • The fix is prepared for the development branch, and for the most recent stable branch. Additional backports to older stable releases may be prepared, in consultation with the submitter.
  • The fix is submitted to the public repository.
  • A new release containing the fix is issued.
  • On the day either a new release is issued, or the fix is submitted to the public repository, an announcement is made on distributor-list.

Comments on this policy

If you have any suggestions on how to improve this policy, please open a topic on Discourse.

Security report form

The contents of this form will be used to open an issue on GitLab; this issue will be accessible only by the security team members, the project maintainer, as well as the original submitter. Once the underlying issue is solved, the GitLab issue will be made public and it will include the contents of this form and any eventual additional communication between the original submitter, the project maintainer, and the security team members. The email you enter in this form will be part of the GitLab issue and cannot be fully redacted.

The area affected by the security issue
Please describe the issue in detail