CVE Numbering Authority

The Tcpdump Group participates in MITRE's CVE Program as a CNA (CVE Numbering Authority) with the scope limited to tcpdump and libpcap vulnerabilities. Any involvement with vulnerabilities in other software can be considered on a case by case basis only if the software is closely related to packet capture and analysis and if the case does not belong to the scope of another CNA.

Security Contacts and Vulnerability Disclosure Policy

Vulnerabilities reported to The Tcpdump Group via security@tcpdump.org will be disclosed to the public at the next release of tcpdump.

As a volunteer run open source organization, The Tcpdump Group can not promise to release within a set period like 90 days.

The Tcpdump Group aims to release twice a year, usually in March and November of each year. This is a best effort commitment. We will attempt to ship more often but this will depend upon availability of volunteer time.

Each release will do its best to credit the reporter with the identifying of the vulnerability. Each reported issue will be given a CVE number at the time of reporting. You can find a list of the most recently processed CVEs here.

Bug reports should include a sample pcap (or pcapng) file that demonstrates the problem. An effort will be made to keep the sample file confidential until the bug has been fixed. Once fixed, the sample file is expected to be released publicly as part of a test case.

Vulnerabilities found in unreleased public branches may be reported and patched publicly on GitHub. Vulnerabilities found in released code should be communicated with security@tcpdump.org. For reasons of DMARC, this is a moderated mailing list to which the public can not subscribe, but submissions will be moderated and responded to on weekly basis.