Security Contacts and Vulnerability Disclosure Policy

Vulnerabilities reported to The Tcpdump Group via security@tcpdump.org will be disclosed to the public at the next release of tcpdump.

As a volunteer run open source organization, The Tcpdump Group can not promise to release within a set period like 90 days.

The Tcpdump Group aims to release twice a year, usually in March and November of each year. This is a best effort commitment. We will attempt to ship more often but this will depend upon availability of volunteer time.

Each release will do its best to credit the reporter with the identifying of the vulnerability. Each reported issue will be given a CVE number at the time of reporting.

Bug reports should include a sample pcap (or pcapng) file that demonstrates the problem. An effort will be made to keep the sample file confidential until the bug has been fixed. Once fixed, the sample file is expected to be released publically as part of a test case.

Vulnerabilities found in unreleased public branches may be reported and patched publically on GitHub. Vulnerabilities found in released code SHOULD be communicated with security@tcpdump.org For reasons of DMARC, this is a moderated mailing list to which the public can not subscribe, but submissions will be moderated and responded to on weekly basis.