Infrastructure and Services Vulnerability Disclosure

The IETF Administration LLC (IETF LLC) operates the infrastructure and services that support the IETF, IRTF and IAB, including that managed by staff, contractors or volunteers; third-party managed infrastructure and services; and tools developed by staff, contractors or volunteers. The IETF LLC is not responsible for the standards development process and protocol vulnerabilities should be reported according to the guidance provided by the Internet Engineering Steering Group.

The IETF LLC is committed to resolving security vulnerabilities quickly and carefully. If you believe you have discovered a security related issue within our online systems, then please help us by disclosing the issue to us by following the process below.

NOTE: Please be aware that the IETF operates in an open and transparent fashion and we publish extensive open records through multiple mechanisms. Please do not report our open records as vulnerabilities.

Process

Contact us via email at operational-vulnerability@ietf.org with a detailed report of the potential vulnerability. If you believe the vulnerability is serious or there is a chance that email is insecure, then please encrypt the message with PGP using this PGP Key, fingerprint 9E7A 1B85 6A21 1343 2AC6  241B 0097 A16B F233 2D8B.

Your email should include as much of the following as possible:

  • Type of vulnerability.
  • Whether the information has been published or shared with others.
  • Step-by-step instructions/proof-of-concept codes to replicate the issue.

You will receive an immediate automated reply to acknowledge that we have received your report. We will then review the information and work to validate the reported vulnerability. If the vulnerability is validated we will complete the investigation and notify you, generally within 7 days. Where appropriate you will receive results of the vulnerability findings, a plan for resolution and plans for public disclosure. 

We aim to resolve all validated vulnerabilities that are brought to our attention as quickly as possible and in any event will do so no later than 90 days after the report was received.

Limitations

We do not permit the following types of security research:

  • Causing, or attempting to cause, a Denial of Service (DoS) condition.
  • Accessing, or attempting to access, data or information that you are not authorised to access..
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that you are not authorised to access.

User Security

So that we may protect the security of our users we request that any potential vulnerability that you believe you have discovered is not shared outside of trusted circles, until we have had the opportunity to research, respond and address the reported vulnerability and inform users if needed. We also ask that you do not share or post any information on our users that you are not authorised to access, in any environment.

Public Disclosure

The IETF has a strong commitment to transparency and in line with that we will publicly disclose the vulnerability soon after full resolution and no more than 90 days after the report was received, unless we are unable to do so for legal or contractual reasons, or if disclosure is the responsibility of a third-party.

Our Commitment

If you act in good faith and follow this process then we make the following commitments to you:

  • The information that you share with us as part of this process will be kept confidential within the IETF LLC, our directly contracted vendors and a small team of volunteers. It will not be shared with other third-parties without your permission.
  • We will not initiate legal action against security researchers attempting to find vulnerabilities within our systems who adhere to this policy.
  • If you report a vulnerability that materially affects our services or infrastructure then with your consent we will give you thanks with public acknowledgement.

Recognition

We want to thank the following people for reporting vulnerabilities responsibly:

  • Oussama Kasmi. CVE-2021-41174 (Javascript injection in Grafana) for NOC dashboard.
  • Hari Priandana. Open redirect in Datatracker
  • Markus Stenberg. Paypal receipt replay in Registration system.
  • Lucas Tesson. Reflected XSS in online ABNF parser.

If you have any questions or you wish to report a vulnerability, please contact operational-vulnerability@ietf.org.