Reporting a Security Issue

Please report to us any issues you find. This document explains how to do that and what to expect in return.

All security bugs in the GNOME project should be reported using the form at the bottom of this page unless you wish to apply for a bug bounty. The contents of this form are delivered to a small security team. Your submission will generally be acknowledged within two business days. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix.

If you have not received a reply to your email within two business days or you have not heard from the security team for the past five business days, please contact the GNOME staff at: info (at) gnome.org

Bug Bounty Program

GNOME operates a YesWeHack bug bounty program. The scope of the program is limited. If your issue falls within the program scope and you wish to apply for a bounty, do not use the form on this page. Instead, report the issue directly to YesWeHack.

Viewing Reported Security Issues

GNOME maintains a list of security issues.

Flagging Existing Issues as Security-related

If you believe that an existing issue report in a GNOME project is security-related, we ask that you contact the maintainer to request that it be flagged for security tracking. You can also use the form below to contact the security team; the message should include the project and issue ID, and a short description of why it should be handled according to this security policy.

GNOME developers may flag a security issue by adding the Security label.

Disclosure Process

The GNOME project uses the following disclosure process:

  • Once the security report is received, it is assigned to the project maintainer as its primary handler. The maintainer coordinates the fix and release process.
  • The issue is confirmed and a list of affected software is determined.
  • Code is audited to find any potential similar problems.
  • The fix is prepared for the development branch, and for the most recent stable branch. Additional backports to older stable releases may also be prepared.
  • The fix is submitted to the public repository.
  • A new release containing the fix is issued.

Issue reports remain confidential until a fix is committed to the git repo, or until 90 days has passed, whichever comes first. We do not generally use embargoes.

The security team will generally request CVEs for noteworthy vulnerabilities at the time the issue is disclosed. Please confirm with a GNOME developer before requesting a CVE yourself. GNOME is not a CVE Numbering Authority, so we request CVEs from Red Hat by writing to Red Hat Product Security. Requesting CVEs via MITRE is not recommended and may result in considerable delays.

Comments on This Policy

If you have any suggestions on how to improve this policy, please open a topic on Discourse.

Security Report Form

The contents of this form will be used to open a confidential issue on GNOME GitLab, which will eventually be disclosed according to the process above. After disclosure, the GitLab issue will be public. This will include the contents of this form and any additional communication between the original submitter, the project maintainer, and the security team members; your comments will not remain confidential. The email you enter in this form will be visible in the GitLab issue and cannot be fully redacted.

If you have a GNOME GitLab account, then do not use this form. Report infrastructure issues here and all other security issues here.

The area affected by the security issue
Please describe the issue in detail