Debian Vulnerability Disclosure Policy

This document is the vulnerability disclosure and embargo policy of the Debian project, as required by Debian's status as a CVE Numbering Authority (Sub-CNA, rule 2.3.3). Please also consult the Security Team FAQ for additional information on Debian security procedures.

General Process

The Debian security team will typically get back to vulnerability reporters within several days. (See the FAQ entries for contacting the security team and reporting vulnerabilities.)

Most of the software that is part of the Debian operating system has not been specifically written for Debian. The Debian operating system as a whole also serves as a the foundation for other GNU/Linux distributions. This means that most vulnerabilities affecting Debian also affect other distributions, and, in many cases, commercial software vendors. As a result, the disclosure of vulnerabilities has to be coordinated with other parties, not just the reporter and Debian itself.

One forum for such coordination is the distros list. The Debian security team expects that experienced security researchers contact the distros list and affected upstream projects directly. The Debian security team will provide assistance to other reporters as needed. Before involving third parties, permission from reporters is obtained.

Timelines

As mentioned at the start, acknowledgment via email of the initial report is expected to take several days at most.

Since addressing most vulnerabilities in Debian software requires coordination among several parties (upstream developers, other distributions), the time between initial report of a vulnerability and its public disclosure varies a lot depending on the software and organizations involved.

The distros list limits embargo periods (time between initial report and disclosure) to two weeks. However, longer periods are not uncommon, with additional coordination before sharing with the distros list, to accommodate vendors with monthly or even quarterly release cycles. Addressing Internet protocol vulnerabilities can take even longer than that, and so does developing attempts to mitigate hardware vulnerabilities in software.

Avoiding Embargoes

Since coordination in private tends to cause a lot of friction and makes it difficult to involve the right subject matter experts, Debian will encourage public disclosure of vulnerabilities even before a fix has been developed, except when such an approach would clearly endanger Debian users and other parties.

The Debian security team will often ask reporters of vulnerabilities to file public bug reports in the appropriate bug tracker(s) (such as the Debian bug tracking system), providing assistance as needed.

An embargo is not needed for CVE assignment or credit in a security advisory.

CVE Assignment

Debian, as a sub-CNA, only assigns CVE IDs for Debian vulnerabilities. If a reported vulnerability does not meet this criterion and is therefore out of scope for the Debian CNA, the Debian security team will either arrange for CVE ID assignment from other CNAs, or guide the reporter on submitting their own request for a CVE ID.

A CVE assignment by the Debian CNA will be made public with the publication of the Debian Security Advisory, or when the bug is filed in the appropriate bug tracker(s).

Vulnerability vs regular bug

Due to the wide range of software that is part of the Debian operating system, it is not possible to provide guidance what constitutes a security vulnerability and what is just an ordinary software bug. When in doubt, please contact the Debian security team.

Bug Bounty Program

Debian does not offer a bug bounty program. Independent parties may encourage reporters to contact them about vulnerabilities in the Debian operating system, but they are not endorsed by the Debian project.

Debian Infrastructure Vulnerabilities

Reports of vulnerabilities in Debian infrastructure itself are handled in the same way. If the infrastructure vulnerability is not the result of a misconfiguration, but a vulnerability in the software being used, the usual multi-party coordination is required, with similar time frames as described above.