Reporting a security issue
Please report to us any issues you find. This document explains how to do that and what to expect in return.
All security bugs in the GNOME project should be reported using the form at the bottom of this page unless you wish to apply for a bug bounty. The contents of this form are delivered to a small security team. Your submission will generally be acknowledged within one business day, and you’ll receive a more detailed response to your email within five business days indicating the next steps in handling your report.
After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement.
If you have not received a reply to your email within two business days or you have not heard from the security team for the past five business days, please contact the GNOME staff at: info (at) gnome.org
Bug bounty program
GNOME operates a YesWeHack bug bounty program. The scope of the program is limited. If your issue falls within the program scope, you may report the issue directly to YesWeHack instead of using this form.
Flagging existing issues as security-related
If you believe that an existing issue in a GNOME project is security-related and you are not the original submitter, we ask that you contact the maintainer to change the issue confidentiality. You can also use the form below to contact the security team; the message should include the project and issue ID, and a short description of why it should be handled according to this security policy.
Disclosure
The GNOME project uses the following disclosure process:
- Once the security report is received, it is assigned to the project maintainer as its primary handler. The maintainer coordinates the fix and release process.
- The issue is confirmed and a list of affected software is determined.
- Code is audited to find any potential similar problems.
- If it is determined, in consultation with the submitter, that a CVE is required, then submitter needs to send an email to <secalert@redhat.com> with details of the vulnerability in order to allocate a CVE.
- The fix is prepared for the development branch, and for the most recent stable branch. Additional backports to older stable releases may be prepared, in consultation with the submitter.
- The fix is submitted to the public repository.
- A new release containing the fix is issued.
Comments on this policy
If you have any suggestions on how to improve this policy, please open a topic on Discourse.
Security report form
The contents of this form will be used to open an issue on GitLab; this issue will be accessible only by the security team members, the project maintainer, as well as the original submitter. Once the underlying issue is solved, the GitLab issue will be made public and it will include the contents of this form and any eventual additional communication between the original submitter, the project maintainer, and the security team members. The email you enter in this form will be part of the GitLab issue and cannot be fully redacted.