Skip to main content
  • IETF 111 Hackathon: Coding across time zones

    The IETF 111 Hackathon was held July 19-23, 2021. This was the 19th IETF Hackathon, and the 4th held as an online only event. For most people involved in the IETF the past several years, the IETF Hackathon marks the start of each IETF meeting.

    • Charles EckelIETF Hackathon Co-chair
    8 Sep 2021
  • IETF 111 post-meeting survey

    The results from our IETF 111 post-meeting survey are now available.

    • Jay DaleyIETF Executive Director
    22 Aug 2021
  • IETF Community Survey 2021

    In May 2021, the IETF Administration LLC (IETF LLC) on behalf of the IESG and in collaboration with the IAB distributed the first annual IETF community survey to all 56,000 addresses subscribed to IETF mailing lists. Its purpose was "To help better understand our community and its makeup, gather views on the IETF and how well it works for participants, and gain insight into how we compare to similar organisations".

    • Jay DaleyIETF Executive Director
    11 Aug 2021
  • Experiences from the first fully-online IAB workshop on Network Impacts of COVID-19

    The Internet Architecture Board (IAB) held its first fully-online workshop in November 2019, just before the IETF 109 meeting, to discuss the network impacts of the COVID-19 crisis.

    • Mirja KühlewindIAB Chair
    23 Jul 2021
  • Applied Networking Research Prize presentations at IETF 111

    Presentations on research into network specification and verification and on low-latency video streaming will be featured during the Internet Research Task Force Open session of the IETF 111 Online meeting scheduled for 26-30 July.

      21 Jul 2021

    Filter by topic and date

    Filter by topic and date

    Reporting Protocol Vulnerabilities

    • Roman DanyliwSecurity Area Director

    22 Mar 2021

    The Internet Engineering Task Force recognizes that security vulnerabilities will be discovered in IETF protocols and welcomes their critical evaluation by researchers. After consulting with the community, the Internet Engineering Steering Group (IESG) recently provided guidance on how to report vulnerabilities to ensure they are addressed as effectively as possible.

    vulnerability alert

    The full set of guidance is the best source for all the information about how to report vulnerabilities in IETF protocols, but a few details are worth highlighting.

    First, the process covers vulnerabilities in protocols or other specifications in documents, such as RFCs, published by the IETF. Security issues in specific products, software, or services that implement the protocols must be addressed by the providers or maintainers of those specific products or services. The IETF does not have any formal means of contacting those parties. Vulnerabilities in any infrastructure or services that support the IETF, IRTF and IAB (such as those associated with the ietf.org, iab.org, irtf.org and rfc-editor.org domains) are the responsibility of the IETF Administration LLC, which has its own vulnerability disclosure policy.

    Second depending on the nature of the report, there may be specific steps a reporter can take to expedite its handling, as detailed in the vulnerability reporting guidance. For published RFCs or Internet-Drafts (I-Ds) currently under consideration by an active working group, the working group is the proper forum to address the issue. For individuals Internet-Drafts, contact the document author(s). For working group I-Ds or RFCs for which there is no active working group, the general reporting email address can be used.

    Finally, while the IETF values critical analysis of its work, it does not pay “bug bounties” for reported vulnerabilities. IETF processes for creating and maintaining protocol specifications are open and transparent with meeting and mailing list archives publicly available. The protocol vulnerability reporting guidance provides more detail about further considerations, including how complex or severe vulnerabilities might be addressed.

    While the preferred approach to reporting IETF protocol vulnerabilities is to contact the person or group responsible for the document, as a last resort, reports can always be  sent by email to protocol-vulnerability@ietf.org. The IETF Security Area Directors will make their best effort to triage the report. We hope this guidance helps maintain and improve the security of the protocols and specifications on which the global Internet is built.


    Share this page