If you think you have found a security issue in our distribution, please contact us immediatelly by posting a confidential issue in our bug tracker in a dedicated security project.

To do so, login into our issue tracker or create a new account if you do not have one yet. Click on New issue, then make sure to check the checkbox at the bottom This issue is confidential and should only be visible to team members with at least Reporter access. Please use the Issue type of ticket and the associated template. Fill in the title, answer the questions in the Description field. Then click Create issue.

Your report should contain a description of the issue, the steps you took to reproduce the issue (including the image name), affected versions, and, if known, any mitigations for the issue.

We plan to add a security-related mailing list and a possibility to send GPG-encrypted email in the near future.

We aim to acknowledge the reception within one working day, and responding with a first assessment within three working days. We follow a 90 days disclosure timeline.

We will be happy to acknowledge your work in the vulnerability announcement, and will do so if you do not object.