The IETF Administration LLC (IETF LLC) operates the infrastructure and services that support the IETF, IRTF and IAB.
These include: infrastructure and services managed by staff, contractors or volunteers; third-party managed infrastructure and services; and tools developed by staff, contractors or volunteers. The IETF LLC is not responsible for the standards development process and protocol vulnerabilities should be reported according to guidance provided by the Internet Engineering Steering Group, which is currently being finalized.
The IETF LLC is committed to resolving security vulnerabilities quickly and carefully. If you believe you have discovered a security related issue within our online systems, then please help us by disclosing the issue to us by following the process below.
Contact us via email at firstname.lastname@example.org with a detailed report of the potential vulnerability. If you believe the vulnerability is serious or there is a chance that email is insecure, then please encrypt the message with PGP using this PGP Key, fingerprint 9E7A 1B85 6A21 1343 2AC6 241B 0097 A16B F233 2D8B.
Your email should include as much of the following as possible:
You will receive an immediate automated reply to acknowledge that we have received your report. We will then review the information and work to validate the reported vulnerability. If the vulnerability is validated we will complete the investigation and notify you, generally within 7 days. Where appropriate you will receive results of the vulnerability findings, a plan for resolution and plans for public disclosure.
We aim to resolve all validated vulnerabilities that are brought to our attention as quickly as possible and in any event will do so no later than 90 days after the report was received.
We do not permit the following types of security research:
So that we may protect the security of our users we request that any potential vulnerability that you believe you have discovered is not shared outside of trusted circles, until we have had the opportunity to research, respond and address the reported vulnerability and inform users if needed. We also ask that you do not share or post any information on our users that you are not authorised to access, in any environment.
The IETF has a strong commitment to transparency and in line with that we will publicly disclose the vulnerability soon after full resolution and no more than 90 days after the report was received, unless we are unable to do so for legal or contractual reasons, or if disclosure is the responsibility of a third-party.
If you act in good faith and follow this process then we make the following commitments to you:
If you have any questions or you wish to report a vulnerability, please contact email@example.com.