Thanks for helping make Sangoma services and software safe for everyone.

Sangoma takes the security of our software products and services seriously. We appreciate all security vulnerability reports.

If you believe you have found a security vulnerability please report it to us through the Security reporting process on GitHub.

For FreePBX, use the "Report a vulnerability" button at the top of the FreePBX Security Reporting repository.

Please do not report security vulnerabilities through any other mechanisms, including public mechansims.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

• The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, unauthenticated access)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

Sangoma is unable to accept security vulnerability reports for customer deployed solutions that may be using an old version of our products that may be unpatched for vulnerabilites already resolved, or are configured in an insecure fashion.

Some Sangoma products and open source projects may enforce a policy around versions that security vulnerability reports will be accepted against. This will be communicated upon filing of the vulnerability report as part of the triage process.

We aim to initially respond to security vulnerability reports within 3 US business days. We aim to resolve security vulnerability reports within 60 US business days, but may need additional time to be able to do so.

We will communicate with the reporter throughout the process providing updates regarding resolution and timeline.

Once published the reporter is welcome to make additional posts about their finding alongside the published disclosure that Sangoma will provide.

Sangoma will always publish and disclose on GitHub the security vulnerability. Sangoma may provide additional notification of the release of fixes for security vulnerabilities depending on the product, service, or open source project in question and its own notification mechanisms.

Sangoma at its full discretion may compensate reporters of a fully verified vulnerability that has not been previously patched. To be eligible for bounty consideration the reporter MUST follow the security policy. This bug bounty issuance will be communicated directly between the reporter and a Sangoma employee over email.

This policy may be updated at any time with full history viewable on GitHub.