IETF | Reporting Protocol Vulnerabilities to the IETF

<!doctype html><html lang="en" class="no-js"><head> <meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>IETF | Reporting Protocol Vulnerabilities to the IETF</title><meta name="description" content="The IETF recognizes that security vulnerabilities will be discovered in IETF protocols and welcomes their critical evaluation by researchers."/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="twitter:card" content="summary"/><meta name="twitter:site" content="@ietf"/><meta name="twitter:title" content="Reporting protocol vulnerabilities to the IETF"/><meta name="twitter:description" content="The IETF recognizes that security vulnerabilities will be discovered in IETF protocols and welcomes their critical evaluation by researchers."><meta name="twitter:image" content="/media/images/ietflogotrans.original.png"><meta property="fb:app_id" content="159756941186350"/><meta property="og:type" content="website"/><meta property="og:url" content="/process/rfcs/vulnerabilities/"/><meta property="og:title" content="Reporting protocol vulnerabilities to the IETF"/><meta property="og:image" content="/media/images/ietflogotrans.original.png"/><meta property="og:description" content="The IETF recognizes that security vulnerabilities will be discovered in IETF protocols and welcomes their critical evaluation by researchers."/><meta property="og:site_name" content="IETF"/> <link href="https://static.ietf.org/fonts/inter/import.css" rel="stylesheet"/> <script defer="defer" src="/static/dist/main.7d84808b4dfd.js"></script><link href="/static/dist/main.b24c4c15ad12.css" rel="stylesheet"></head><body class="template-standard-page"> <header class="header"> <a href="#content" class="visually-hidden visually-hidden-focusable">Skip to main content</a> <nav class="navbar navbar-expand-lg" aria-label="Main" > <div class="container position-relative"> <button class="navbar-toggler navbar-toggler-light" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation" > <span class="navbar-toggler-icon text-dark"></span> </button>  <button class="btn btn-link nav-link text-dark ms-3 me-auto d-lg-none" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSearch" aria-controls="navbarSearch" aria-expanded="false" aria-label="Toggle search bar" > <i class="bi bi-search"></i> Search </button> <div class="navbar-brand header__logo-container"> <a class="text-light" href="/"> <img class="header__logo" src="https://static.ietf.org/logos/ietf.svg" alt="IETF logo" /> </a> </div> <div class="collapse navbar-collapse flex-wrap-reverse" id="navbarSupportedContent" > <ul class="navbar-nav col-12 col-xl-auto justify-content-xl-center flex-grow"> <li class="nav-item dropdown position-static"> <button class=" nav-link btn megamenu__toggle text-dark fw-semibold text-uppercase dropdown-toggle pe-1 " id="megamenu-toggle-1" role="button" data-bs-toggle="dropdown" data-bs-auto-close="outside" aria-expanded="false" > About </button> <div class="dropdown-menu megamenu__menu w-100 px-2" aria-labelledby="megamenu-toggle-" > <div class="container py-3"> <div class="row gx-5"> <div class="col-lg-4 d-none d-lg-block"> <div class=""> <p></p> <img src="/media/images/ietf-logo.width-600.jpg" class="w-100 object-fit-cover" /> </div> </div> <div class="col-lg-8"> <h5 class="border-bottom mb-1 pb-1"> <a class="dropdown-item" href="/about/"> About <i class="bi bi-chevron-right"></i> </a> </h5> <ul class="megamenu__linklist"> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Introduction to the IETF</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/about/introduction/"> Introduction to the IETF </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/about/introduction/#participants"> Participants </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/about/introduction/#mission"> Mission </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/about/introduction/#principles"> Principles </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/about/introduction/#work"> The work </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Structure of the IETF</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/about/groups/iesg/"> Internet Engineering Steering Group </a> </li> <li> <a class="dropdown-item" href="/about/groups/iab/"> Internet Architecture Board </a> </li> <li> <a class="dropdown-item" href="/about/groups/irtf/"> Internet Research Task Force </a> </li> <li> <a class="dropdown-item" href="/about/liaisons/"> Liaisons </a> </li> <li> <a class="dropdown-item" href="/about/groups/nomcom/"> Nominating Committee </a> </li> <li> <a class="dropdown-item" href="/about/groups/trust/"> IETF Trust </a> </li> <li> <a class="dropdown-item" href="/about/groups/rfc-editor/"> RFC Editor </a> </li> <li> <a class="dropdown-item" href="/about/groups/ise/"> Independent Submissions Editor </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Legal requests</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/administration/legal-request-procedures/"> Legal request procedures </a> </li> <li> <a class="dropdown-item" href="/administration/legal-requests/"> Legal requests </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Administration</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/administration/overview/"> IETF Administration LLC </a> </li> <li> <a class="dropdown-item" href="/administration/announcements/"> Administrative announcements </a> </li> <li> <a class="dropdown-item" href="/administration/reports/"> Administrative reports </a> </li> <li> <a class="dropdown-item" href="/administration/llc-board/"> IETF Administration LLC Board of Directors </a> </li> <li> <a class="dropdown-item" href="/administration/financial-statements/"> Financial statements </a> </li> <li> <a class="dropdown-item" href="/administration/rfps-and-contracts/"> RFPs and contracts </a> </li> <li> <a class="dropdown-item" href="/administration/policies-procedures/"> Administrative policies and procedures </a> </li> <li> <a class="dropdown-item" href="/transparency/"> IETF LLC transparency report </a> </li> </ul> </div> </div> </div> </div> </li> <li class="nav-item dropdown position-static"> <button class=" nav-link btn megamenu__toggle text-dark fw-semibold text-uppercase dropdown-toggle pe-1 " id="megamenu-toggle-2" role="button" data-bs-toggle="dropdown" data-bs-auto-close="outside" aria-expanded="false" > Technologies </button> <div class="dropdown-menu megamenu__menu w-100 px-2" aria-labelledby="megamenu-toggle-" > <div class="container py-3"> <div class="row gx-5"> <div class="col-lg-4 d-none d-lg-block"> <div class=""> <p>The IETF works on a broad range of networking technologies that provide the foundation for the Internet's growth and evolution.</p> <img src="/media/images/things.width-600.jpg" class="w-100 object-fit-cover" /> </div> </div> <div class="col-lg-8"> <h5 class="border-bottom mb-1 pb-1"> <a class="dropdown-item" href="/technologies/"> Technologies <i class="bi bi-chevron-right"></i> </a> </h5> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/technologies/netmgmt/"> Automated network management </a> </li> <li> <a class="dropdown-item" href="/technologies/iot/"> The Internet of Things </a> </li> <li> <a class="dropdown-item" href="/technologies/transport/"> New transport technology </a> </li> <li> <a class="dropdown-item" href="/technologies/security/"> Security & privacy </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">IETF technologies in action</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/technologies/dns/"> Domain Name System </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">IETF technology groups</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/technologies/areas/"> IETF Areas </a> </li> <li> <a class="dropdown-item" href="/technologies/keywords/"> Working Group keywords </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Recent posts about IETF technologies</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/blog/wimse-working-group/"> WIMSE Working Group: Serious business for cloud computing </a> </li> <li> <a class="dropdown-item" href="/blog/green-wg/"> The new GREEN working group gets ready for an energy efficient Internet </a> </li> <li> <a class="dropdown-item" href="/blog/wit-area/"> New IETF Area focuses on web and transport technologies </a> </li> <li> <a class="dropdown-item" href="/blog/edhoc/"> EDHOC - A new lightweight authenticated key exchange protocol provides improved security with less overhead for Internet-of-Things devices </a> </li> </ul> </div> </div> </div> </div> </li> <li class="nav-item dropdown position-static"> <button class=" nav-link btn megamenu__toggle text-dark fw-semibold text-uppercase dropdown-toggle pe-1 " id="megamenu-toggle-5" role="button" data-bs-toggle="dropdown" data-bs-auto-close="outside" aria-expanded="false" > Meetings </button> <div class="dropdown-menu megamenu__menu w-100 px-2" aria-labelledby="megamenu-toggle-" > <div class="container py-3"> <div class="row gx-5"> <div class="col-lg-4 d-none d-lg-block"> <div class=""> <p>While most IETF work takes place online, meetings and other events such as Hackathons provide in-person opportunities to advance work within the IETF.</p> <img src="/media/images/_MG_4832.width-600.jpg" class="w-100 object-fit-cover" /> </div> </div> <div class="col-lg-8"> <h5 class="border-bottom mb-1 pb-1"> <a class="dropdown-item" href="/meeting/"> Meetings <i class="bi bi-chevron-right"></i> </a> </h5> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/meeting/121/"> IETF 121 Dublin </a> </li> <li> <a class="dropdown-item" href="/meeting/122/"> IETF 122 Bangkok </a> </li> <li> <a class="dropdown-item" href="/meeting/123/"> IETF 123 Madrid </a> </li> <li> <a class="dropdown-item" href="/meeting/upcoming/"> Upcoming meetings </a> </li> <li> <a class="dropdown-item" href="/meeting/past/"> Past meetings </a> </li> <li> <a class="dropdown-item" href="/meeting/interim/"> Interim meetings </a> </li> <li> <a class="dropdown-item" href="/meeting/hackathons/"> IETF Hackathons </a> </li> <li> <a class="dropdown-item" href="/meeting/code-sprint/"> Code Sprint </a> </li> <li> <a class="dropdown-item" href="/meeting/124/"> IETF 124 Montreal </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Participation information</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/meeting/preparation/"> Preparing for an IETF Meeting </a> </li> <li> <a class="dropdown-item" href="/meeting/guide-ietf-meetings/"> Guide to IETF Meetings </a> </li> <li> <a class="dropdown-item" href="/meeting/technology/"> Meeting network and technology </a> </li> <li> <a class="dropdown-item" href="/meeting/new-participants/"> New Participants </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Organizing meetings</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/meeting/planning/"> Meeting planning </a> </li> <li> <a class="dropdown-item" href="/support-us/sponsorship/"> Meeting sponsorship </a> </li> </ul> </div> </div> </div> </div> </li> <li class="nav-item dropdown position-static"> <button class=" nav-link btn megamenu__toggle text-dark fw-semibold text-uppercase dropdown-toggle pe-1 " id="megamenu-toggle-4" role="button" data-bs-toggle="dropdown" data-bs-auto-close="outside" aria-expanded="false" > Process </button> <div class="dropdown-menu megamenu__menu w-100 px-2" aria-labelledby="megamenu-toggle-" > <div class="container py-3"> <div class="row gx-5"> <div class="col-lg-4 d-none d-lg-block"> <div class=""> <p>The IETF is the premier Internet standards organization. It follows open and well-documented processes for setting these standards. Once published, those standards are made freely available.</p> </div> </div> <div class="col-lg-8"> <h5 class="border-bottom mb-1 pb-1"> <a class="dropdown-item" href="/process/"> Process <i class="bi bi-chevron-right"></i> </a> </h5> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/process/process/"> Internet standards process </a> </li> <li> <a class="dropdown-item" href="/process/wgs/"> Guide to IETF Working Groups </a> </li> <li> <a class="dropdown-item" href="/process/bofs/"> Birds of a Feather </a> </li> <li> <a class="dropdown-item" href="/process/iana/"> Protocol registries (IANA) </a> </li> <li> <a class="dropdown-item" href="/process/ipr/"> Intellectual property rights </a> </li> <li> <a class="dropdown-item" href="/process/directorates/"> Directorates and teams </a> </li> <li> <a class="dropdown-item" href="/process/informal/"> The IETF process: an informal guide </a> </li> <li> <a class="dropdown-item" href="/process/new-work/"> Bringing new work to the IETF </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">RFCs</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/process/rfcs/"> About RFCs </a> </li> <li> <a class="dropdown-item" href="/about/groups/rfc-editor/"> RFC Editor </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/process/rfcs/#availability-and-use"> Availability and Use </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/process/rfcs/#formats"> Publication formats </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/process/rfcs/#statuses"> Statuses </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/process/rfcs/#streams"> Publication streams </a> </li> <li> <a class="dropdown-item" href="https://www.ietf.org/process/rfcs/#errata"> Corrections and errata </a> </li> <li> <a class="dropdown-item" href="/process/rfcs/vulnerabilities/"> Reporting protocol vulnerabilities to the IETF </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Standards process details</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/process/process/informational-vs-experimental/"> Choosing between Informational and Experimental Status </a> </li> <li> <a class="dropdown-item" href="/process/process/role-iesg-standards-process/"> The role of the IESG in the Standards process </a> </li> <li> <a class="dropdown-item" href="https://datatracker.ietf.org/group/iesg/appeals/"> Appeals to the IESG </a> </li> <li> <a class="dropdown-item" href="/process/process/iesg-ballots/"> IESG ballot procedures </a> </li> <li> <a class="dropdown-item" href="/process/informal/"> The IETF process: an informal guide </a> </li> </ul> </div> </div> </div> </div> </li> <li class="nav-item dropdown position-static"> <button class=" nav-link btn megamenu__toggle text-dark fw-semibold text-uppercase dropdown-toggle pe-1 " id="megamenu-toggle-3" role="button" data-bs-toggle="dropdown" data-bs-auto-close="outside" aria-expanded="false" > Participate </button> <div class="dropdown-menu megamenu__menu w-100 px-2" aria-labelledby="megamenu-toggle-" > <div class="container py-3"> <div class="row gx-5"> <div class="col-lg-4 d-none d-lg-block"> <div class=""> <p>The global IETF community works together in many different ways to produce high quality, relevant technical documents that influence the way people design, use, and manage the Internet.</p> </div> </div> <div class="col-lg-8"> <h5 class="border-bottom mb-1 pb-1"> <a class="dropdown-item" href="/participate/"> Participate <i class="bi bi-chevron-right"></i> </a> </h5> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/participate/get-started/"> Getting started in the IETF </a> </li> <li> <a class="dropdown-item" href="/participate/ids/"> Internet-Drafts </a> </li> <li> <a class="dropdown-item" href="/participate/ietf-systers/"> IETF Systers </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Tools and services</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/participate/lists/"> Mailing lists </a> </li> <li> <a class="dropdown-item" href="/participate/tools/"> Tools and Services </a> </li> <li> <a class="dropdown-item" href="/about/open-records/"> Open records </a> </li> <li> <a class="dropdown-item" href="https://chairs.ietf.org"> Chairs Resources </a> </li> <li> <a class="dropdown-item" href="https://authors.ietf.org"> I-D Authors Resources </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Participation guides</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/meeting/guide-ietf-meetings/"> Guide to IETF Meetings </a> </li> <li> <a class="dropdown-item" href="/process/wgs/"> Guide to IETF Working Groups </a> </li> <li> <a class="dropdown-item" href="/participate/roles/"> Roles in the IETF </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Key policies</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/about/note-well/"> Note Well - A reminder of IETF policies </a> </li> <li> <a class="dropdown-item" href="https://datatracker.ietf.org/doc/statement-iesg-ietf-anti-harassment-policy-20131103/"> Anti-harassment policy </a> </li> <li> <a class="dropdown-item" href="https://www.rfc-editor.org/info/bcp9"> Internet Standards process (BCP 9) </a> </li> <li> <a class="dropdown-item" href="https://www.rfc-editor.org/info/bcp25"> Working Group processes (BCP 25) </a> </li> <li> <a class="dropdown-item" href="https://www.rfc-editor.org/rfc/rfc7154.html"> Guidelines for conduct (BCP 54) </a> </li> <li> <a class="dropdown-item" href="https://www.rfc-editor.org/rfc/rfc5378.html"> Copyright (BCP 78) </a> </li> <li> <a class="dropdown-item" href="https://www.rfc-editor.org/rfc/rfc8179.html"> Patents, Participation (BCP 79) </a> </li> <li> <a class="dropdown-item" href="/privacy-statement/"> IETF/IRTF/IAB Privacy Statement </a> </li> </ul> </div> </div> </div> </div> </li> <li class="nav-item dropdown position-static"> <button class=" nav-link btn megamenu__toggle text-dark fw-semibold text-uppercase dropdown-toggle pe-1 " id="megamenu-toggle-6" role="button" data-bs-toggle="dropdown" data-bs-auto-close="outside" aria-expanded="false" > Support us </button> <div class="dropdown-menu megamenu__menu w-100 px-2" aria-labelledby="megamenu-toggle-" > <div class="container py-3"> <div class="row gx-5"> <div class="col-lg-4 d-none d-lg-block"> <div class=""> <p>By supporting the IETF today, you are ensuring a free and open Internet exists tomorrow.</p> <img src="/media/images/IMG_15.width-600.jpg" class="w-100 object-fit-cover" /> </div> </div> <div class="col-lg-8"> <h5 class="border-bottom mb-1 pb-1"> <a class="dropdown-item" href="/support-us/"> Support us <i class="bi bi-chevron-right"></i> </a> </h5> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/support-us/why-support/"> Why we need your support </a> </li> <li> <a class="dropdown-item" href="/support-us/donors/"> IETF financial supporters </a> </li> <li> <a class="dropdown-item" href="/support-us/donate-ietf-endowment/"> Donate to the IETF Endowment </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Ways to give</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/support-us/endowment/"> IETF Endowment </a> </li> <li> <a class="dropdown-item" href="/support-us/sponsorship/"> Meeting sponsorship </a> </li> <li> <a class="dropdown-item" href="/support-us/donate/"> Other ways to give </a> </li> <li> <a class="dropdown-item" href="/support-us/technical-foundations/"> Technical foundations for business </a> </li> </ul> <h6 class="mt-3 mb-1 pb-1 border-bottom">Supporting values</h6> <ul class="megamenu__linklist"> <li> <a class="dropdown-item" href="/runningcode/"> Running Code </a> </li> <li> <a class="dropdown-item" href="/sustainability/"> Sustainability </a> </li> <li> <a class="dropdown-item" href="/diversity/"> Diversity and Inclusion </a> </li> <li> <a class="dropdown-item" href="/open-internet/"> Open Internet </a> </li> </ul> </div> </div> </div> </div> </li> </ul> <ul class="navbar-nav col-xl-auto"> <li class=" nav-item " > <a class=" nav-link btn text-dark " href="/blog/" >News & blog</a> </li> <li class="nav-item d-none d-lg-inline-block"> <a href="/search" class="btn text-dark nav-link" role="button" data-bs-toggle="collapse" data-bs-target="#navbarSearch" aria-controls="navbarSearch" aria-expanded="false" aria-label="Toggle search bar" > <i class="bi bi-search"></i> Search </a> </li> </ul> </div> </div> </nav> <div class="collapse" id="navbarSearch"> <div class="container"> <div class="row justify-content-center"> <form class="input-group mt-3 mb-3 col-md-8 col-lg-6" action="/search/" method="get" name="search" > <input id="search" type="search" class="form-control" placeholder="Search" aria-label="Search" name="query" required /> <button type="submit" class="btn btn-primary" aria-label="Submit website search">Go</button> </form> </div> </div> </div> </header> <main id="content"> <div class="bg-white pb-1"> <div class="container"> <nav aria-label="breadcrumbs"> <ol class="breadcrumb bg-transparent pt-3 mb-3 "> <li class="breadcrumb-item"><a class="text-dark" aria-label="Home" href="/"><i class="bi bi-house-door-fill"></i></a></li> <li class="breadcrumb-item "><a class="text-dark" href="/process/">Process</a></li> <li class="breadcrumb-item "><a class="text-dark" href="/process/rfcs/">About RFCs</a></li> </ol> </nav> <h1>Reporting protocol vulnerabilities to the IETF</h1> <p class="lead u-max-text-width">The IETF recognizes that security vulnerabilities will be discovered in IETF protocols and welcomes their critical evaluation by researchers.</p> <ul class="social"></ul> </div> </div> <div class="bg-white"> <div class="container"> <div class="row g-0 align-items-start justify-content-between"> <div class="col-12 col-lg-8 col-xl-9 pe-lg-3"> <div class="mb-3 pt-3 pt-lg-3 border-top"> <div class=""> <div id="key-info" class="u-max-text-width"> <div class="block-paragraph"><p data-block-key="u0agn">Such research keeps the Internet safe. If you believe you’ve discovered a protocol vulnerability, we very much welcome your contribution.</p></div> <div class="block-paragraph"><p data-block-key="hzhij">Remediation of vulnerabilities is typically started through disclosure to an open and public IETF working group or mailing list where protocol improvements can be discussed. If you do not know which IETF working group or mailing list to use, or that does not seem appropriate for your work, we invite you to contact <<a href="mailto:protocol-vulnerability@ietf.org">protocol-vulnerability@ietf.org</a>> (link to PGP key below) for assistance.</p><p data-block-key="ea47u">A full explanation of the IETF processes related to disclosure and remediation of vulnerabilities is documented below.</p><p data-block-key="xfrfy">The IETF does not pay “bug bounties” for reported vulnerabilities.</p></div> <div class="block-paragraph"><h2 data-block-key="utael"><b>Scope</b></h2><p data-block-key="hlay3">The IETF is a standards development organization that publishes RFCs that describe Internet protocols and specifications. Internet-Drafts (I-Ds) are working documents used in the creation of RFCs. RFCs and I-Ds are collectively referred to as documents. While documents include an occasional reference or example source code, the IETF does not build or maintain implementations of protocols.</p><p data-block-key="tfccc">Design vulnerabilities or security issues with operational practices described in IETF documents can be addressed in the IETF. Implementation or configuration vulnerabilities in products, open source projects, or services that may implement these documents need to be addressed by their corresponding vendor or maintainers. The IETF does not have a formal means to reach these parties. </p><p data-block-key="ns8l1">Additionally, the IETF does not certify conformance of products to its published documents.</p><p data-block-key="cnxtf">Vulnerabilities in any infrastructure and services that support the IETF, IRTF and IAB (such as those associated with the ietf.org, iab.org, irtf.org and rfc-editor.org domains) are the responsibility of the <a href="/administration/">IETF Administration LLC</a> who has their own <a href="/administration/policies-procedures/vulnerability-disclosure/">vulnerability disclosure policy</a>.</p></div> <div class="block-paragraph"><h2 data-block-key="utmlb"><b>IETF Reponse to Vulnerability Reports</b></h2><p data-block-key="ge7l6">The IETF values your critical analysis of its work. What the IETF will do with your vulnerability report depends on the type of document where the issue is found, the severity of the issue, the complexity of the mitigation, and the maturity of the document in question.</p><ul><li data-block-key="0s47e"><i>For published RFCs (files named RFC####)</i>, these are completed, community reviewed documents. If the working group that produced the RFC is still active, it will work to vet the issue with you and decide the appropriate way to address the issue. If confirmed, the vulnerability might be addressed via an errata, an updated protocol specification document, or an entire new document to handle the issue. For closed working groups, the severity of the issue will determine the next steps. Minor issues can be covered with errata. For more significant updates, the <a href="/about/groups/iesg/members/">corresponding Area Directors</a> may charter a new working group to address the issues or individually sponsor an update.</li><li data-block-key="tod0v"><i>For working group Internet-Drafts (files named draft-ietf-XXX-YYY)</i>, these are documents adopted for consideration by an IETF working group but are not yet finalized. The issue should be raised on the associated working group mailing list. The associated working group will work to vet the issue with you and come to a consensus on how to resolve the issue after notification. (see activity #9 of Figure 1)</li><li data-block-key="to2cj"><i>For individual Internet-Draft submissions (files named draft-ZZZ-AAA)</i>, these are not officially adopted documents in the IETF. Such documents were submitted for consideration by the IETF for adoption by their author(s). Any issues found should be discussed with the authors (see Activity #7 of Figure 1). Despite not being formally adopted, a working group may be tracking or discussing such documents. Therefore, discussion of the issue may be appropriate on the working group mailing list. Note that there are rare instances where a document with this naming convention is adopted by a working group or is being advanced to publication as an RFC without being submitted to a working group (i.e., <a href="/about/groups/iesg/statements/area-director-sponsoring-documents/">individual submission</a>). </li></ul><p data-block-key="ky6a9">Vulnerabilities found in working group Internet-Drafts or individual submission documents that have expired, or were fixed in subsequent versions; or published RFCs that are marked historic, are unlikely to have action taken on them. Additionally, as the RFC series predates the IETF and not all RFCs are the result of IETF standards activity — some even document proprietary protocols not developed in the IETF. These may also not have action taken in response to a vulnerability report.</p><p data-block-key="i2lfc">Generally speaking, being available for follow-up clarifications and related discussions posed by the Area Directors, Working Group Chairs, working group participants, or document authors is extremely helpful. </p><p data-block-key="7vp0g">The IETF does not pay “bug bounties” for reported vulnerabilities.</p></div> <div class="block-paragraph"><h2 data-block-key="013eq"><b>Reporting a Vulnerability</b></h2><p data-block-key="enxna">A vulnerability report related to IETF documents can be sent to the <<a href="mailto:protocol-vulnerability@ietf.org">protocol-vulnerability@ietf.org</a>> (link to PGP key below) and the Security Area Directors will make a best effort to triage and action the information. This email alias does not have a public archive. If explicitly requested by the vulnerability reporter, information about the reporter can be removed when the Area Directors forward along the vulnerability information to public mailing list(s) (as noted below in the “Transparency in the IETF” and Activity #10 of Figure 1).</p><p data-block-key="jayi1">However, because of the distributed organization of IETF work, consulting Figure 1 can help expedite issues being reported. No vulnerability is the same and, depending on the maturity and circumstances of a given document, the reporting path will vary. Each activity in Figure 1 is documented below.</p></div> <div class="block-image"><div class="img-caption"><img alt="Protocol Vulnerability Reporting Guidance Figure" height="1507" src="/media/images/vulnerability-disclosure-reporting-guidance.original.png" width="1927"/><div class="caption">Vulnerability Reporting Flow</div></div> </div> <div class="block-paragraph"><h3 data-block-key="lwiwt"><b>1. Is the document known?</b></h3><p data-block-key="bektw">Can the specific document in which the vulnerability is present be identified? All IETF documents are published in the <a href="https://datatracker.ietf.org/">IETF Datatracker</a>.</p><h3 data-block-key="amts0"><b>2. What is the document name?</b></h3><p data-block-key="9j2vw">What is the name of the document in which the vulnerability is present? Published documents have the naming convention of RFCxxxx (where xxxx is a four digit number). Internet-Drafts adopted by a working group have a naming convention of draft-ietf-xxx-yyy (where xxx is the working group in which the work is being done; and yyy is the chosen filename). Individual submissions, drafts that are not adopted by a working group are named draft-ZZZ-AAA (where ZZZ is typically the document submitter's name). See <a href="https://www.ietf.org/standards/ids/guidelines/#7">Section 7</a> of <a href="/participate/ids/guidelines/">Guidelines to Authors of Internet-Drafts</a> for additional background on naming of IETF documents.</p><h3 data-block-key="0xfzj"><b>3. Is there an active working group on the topic?</b></h3><p data-block-key="g3rtc">Consult the list of <a href="https://datatracker.ietf.org/wg/">active working groups</a>. </p><h3 data-block-key="dmz2y"><b>4. Is this a working group document and is it still active?</b></h3><p data-block-key="qkeyw">To determine if an document named ABC was produced by a working group and if this working group is active:</p><ul><li data-block-key="etk80">Goto <a href="https://datatracker.ietf.org/doc/ABC/">https://datatracker.ietf.org/doc/ABC/</a></li><li data-block-key="8bbnh">Click the “Status” tab</li><li data-block-key="iqm83">In the “Document” meta-data section, find the “Type” field. There will be text for the form "Was draft-XXX (YYY WG)" or "Was draft-XXX (individual in ZZ area)".<ul><li data-block-key="4uufj">Clicking on the “YYY WG” link will bring up the associated working group page and confirm if it is still active</li><li data-block-key="gs23f">Presence of the text "individual" in this field confirms that this RFC was not produced by a working group, but an <a href="/about/groups/iesg/statements/area-director-sponsoring-documents/">individual submission</a>.</li></ul></li></ul><p data-block-key="c5sqt">If the originating working group is found not to be active, also review the list of active working groups per Activity #3. A number of protocol maintenance work groups (e.g., LAMPS to address the maintenance of PKI specifications; TCPM to address TCP maintenance) have been established to update older, widely used protocols.</p><h3 data-block-key="dq0ei"><b>5. Is the “YYY” WG still active?</b></h3><p data-block-key="wfqpb">The procedure is the same as for Activity #4.</p><h3 data-block-key="tv979"><b>6. Can the vulnerability be mitigated/addressed with minor text edits or clarifications?</b></h3><p data-block-key="yoxa3">Judging “minor text edits or clarifications” is subjective. Generally speaking a “minor” edit meets the <a href="/about/groups/iesg/statements/processing-rfc-errata/">definition of an errata</a> that is meant ‘to fix "bugs" in the specification and should not be used to change what the community meant when it approved the RFC.’</p><h3 data-block-key="1vy6v"><b>7. Contact the document authors</b></h3><p data-block-key="ru5hr">The contact information for all authors can be found at the end of each document. Be advised, contact information is not updated after the document is published so it may be out-of-date.</p><h3 data-block-key="b4jfj"><b>8. File Errata</b></h3><p data-block-key="jt9yg">Errata for published RFCs can be filed at <a href="https://www.rfc-editor.org/errata.php">https://www.rfc-editor.org/errata.php</a>.</p><h3 data-block-key="gmw57"><b>9. Contact the WG mailing list</b></h3><p data-block-key="lveb5">Send your vulnerability report to the appropriate, public WG mailing list. To determine the mailing list of a working group named YYY identified in Activity #3 or 4.</p><ul><li data-block-key="5rrii">Goto <a href="https://datatracker.ietf.org/wg/YYY/about/">https://datatracker.ietf.org/wg/YYY/about/</a></li><li data-block-key="oabvp">Find the mailing list information in the section named “Mailing list”</li></ul><p data-block-key="wstt0">Note that the mailing list name might not be the same as the working name.</p><p data-block-key="rhqca">For anything sent to a WG list, also consider sending a CC: to the general reporting alias, <<a href="mailto:protocol-vulnerability@ietf.org">protocol-vulnerability@ietf.org</a>> (link to PGP key below), to provide additional visibility to the Security Area Directors.</p><h3 data-block-key="rjvm2"><b>10. Contact the general alias</b></h3><p data-block-key="6jocq">As a last resort, vulnerability reports can always be sent to the <protocol-vulnerability@ietf.org> (link to PGP key below) and the <a href="/about/groups/iesg/members/">Security Area Directors</a> will make a best effort to triage and action the information.</p></div> <div class="block-paragraph"><h2 data-block-key="6onl2"><b>Secure Communication</b></h2><p data-block-key="mtskj">Encrypted messages using the PGP key (<a href="https://github.com/ietf/vul-reporting-guidance/blob/main/ietf-protocol-vulnerability-1772968.asc">local</a> | <a href="https://keys.openpgp.org/search?q=5674EB6CDC185E2A3D7A56E5AB78AE3D17729268">key-server</a>) with a fingerprint of 5674 EB6C DC18 5E2A 3D7A 56E5 AB78 AE3D 1772 9268 can be sent to <<a href="mailto:protocol-vulnerability@ietf.org">protocol-vulnerability@ietf.org</a>></p></div> </div> </div> </div> </div> <nav aria-label="In this section" class="bg-body border col-12 col-lg-4 col-xl-3 p-3 p-lg-5 mb-4"> <h2 class="h5 mb-3"><a class="text-dark" href="/process/rfcs/">About RFCs</a></h2> <div class="block-paragraph"> <ul class="list-unstyled"> <li class="mb-1"> <a href="/process/rfcs/vulnerabilities/" aria-current="page">Reporting protocol vulnerabilities to the IETF</a> </li> </ul> </div> </nav> </div> </div> </div> </main> <footer class="bg-dark text-light py-1"> <div class="container my-5"> <div class="row"> <section class="col-lg"> <div class="border-bottom u-border-lg-bottom-0 border-light border-opacity-50"> <h4 class="my-0 py-4 fs-6" role="button" aria-expanded="false"> About <i class="bi bi-chevron-down"></i> </h4> <ul class="list-unstyled opacity-75 d-grid gap-2"> <li class="nav-item"> <a href="/about/introduction/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Introduction to the IETF </a> </li> <li class="nav-item"> <a href="/about/groups/iesg/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Internet Engineering Steering Group </a> </li> <li class="nav-item"> <a href="/administration/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Administration </a> </li> <li class="nav-item"> <a href="/policies/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Privacy and policies </a> </li> <li class="nav-item"> <a href="/contact/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Contact us </a> </li> </ul> </div> </section> <section class="col-lg"> <div class="border-bottom u-border-lg-bottom-0 border-light border-opacity-50"> <h4 class="my-0 py-4 fs-6" role="button" aria-expanded="false"> Technologies <i class="bi bi-chevron-down"></i> </h4> <ul class="list-unstyled opacity-75 d-grid gap-2"> <li class="nav-item"> <a href="/technologies/netmgmt/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Automated network management </a> </li> <li class="nav-item"> <a href="/technologies/iot/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > The Internet of Things </a> </li> <li class="nav-item"> <a href="/technologies/transport/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > New transport technology </a> </li> <li class="nav-item"> <a href="/technologies/security/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Security & privacy </a> </li> <li class="nav-item"> <a href="/technologies/areas/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > IETF Areas </a> </li> </ul> </div> </section> <section class="col-lg"> <div class="border-bottom u-border-lg-bottom-0 border-light border-opacity-50"> <h4 class="my-0 py-4 fs-6" role="button" aria-expanded="false"> Meetings <i class="bi bi-chevron-down"></i> </h4> <ul class="list-unstyled opacity-75 d-grid gap-2"> <li class="nav-item"> <a href="/meeting/upcoming/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Upcoming meetings </a> </li> <li class="nav-item"> <a href="/meeting/past/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Past meetings </a> </li> <li class="nav-item"> <a href="/meeting/hackathons/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > IETF Hackathons </a> </li> <li class="nav-item"> <a href="/meeting/preparation/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Preparing for an IETF Meeting </a> </li> <li class="nav-item"> <a href="/meeting/guide-ietf-meetings/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Guide to IETF Meetings </a> </li> </ul> </div> </section> <section class="col-lg"> <div class="border-bottom u-border-lg-bottom-0 border-light border-opacity-50"> <h4 class="my-0 py-4 fs-6" role="button" aria-expanded="false"> Participate <i class="bi bi-chevron-down"></i> </h4> <ul class="list-unstyled opacity-75 d-grid gap-2"> <li class="nav-item"> <a href="/participate/get-started/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Getting started in the IETF </a> </li> <li class="nav-item"> <a href="/process/wgs/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Guide to IETF Working Groups </a> </li> <li class="nav-item"> <a href="/participate/lists/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Mailing lists </a> </li> </ul> </div> </section> <section class="col-lg"> <div class="border-bottom u-border-lg-bottom-0 border-light border-opacity-50"> <h4 class="my-0 py-4 fs-6" role="button" aria-expanded="false"> Process <i class="bi bi-chevron-down"></i> </h4> <ul class="list-unstyled opacity-75 d-grid gap-2"> <li class="nav-item"> <a href="/process/process/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Internet standards process </a> </li> <li class="nav-item"> <a href="/process/rfcs/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > About RFCs </a> </li> <li class="nav-item"> <a href="/process/new-work/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Bringing new work to the IETF </a> </li> <li class="nav-item"> <a href="/process/process/role-iesg-standards-process/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > The role of the IESG in the Standards process </a> </li> </ul> </div> </section> <section class="col-lg"> <div class="border-bottom u-border-lg-bottom-0 border-light border-opacity-50"> <h4 class="my-0 py-4 fs-6" role="button" aria-expanded="false"> Support us <i class="bi bi-chevron-down"></i> </h4> <ul class="list-unstyled opacity-75 d-grid gap-2"> <li class="nav-item"> <a href="/support-us/why-support/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Why we need your support </a> </li> <li class="nav-item"> <a href="/support-us/sponsorship/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Meeting sponsorship </a> </li> <li class="nav-item"> <a href="/support-us/donate/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > Other ways to give </a> </li> <li class="nav-item"> <a href="/support-us/donors/" class="link-underline-opacity-0 link-light fw-semibold lh-base" > IETF financial supporters </a> </li> </ul> </div> </section> </div> </div> <div class="container my-5"> <div class="d-lg-flex justify-content-between align-items-start lh-1"> <div class="d-flex fs-4 my-5 my-lg-0 ms-n2 my-5 me-3"> <a class="d-block text-light px-2" href="https://www.linkedin.com/company/internet-engineering-task-force/" rel="me" title="LinkedIn"> <i class="bi bi-linkedin"></i> </a> <a class="d-block text-light px-2" href="https://www.twitter.com/ietf" rel="me" title="Twitter"> <i class="bi bi-twitter"></i> </a> <a class="d-block text-light px-2" href="https://www.youtube.com/ietf" rel="me" title="YouTube"> <i class="bi bi-youtube"></i> </a> <a class="d-block text-light px-2" href="https://mastodon.online/@ietf" rel="me" title="Mastodon"> <i class="bi bi-mastodon"></i> </a> <a class="d-block text-light px-2" href="https://github.com/ietf/" rel="me" title="GitHub"> <i class="bi bi-github"></i> </a> </div> <ul class=" row gx-0 column-gap-5 row-gap-3 justify-content-lg-end my-5 my-lg-0 nav opacity-75 "> <li class="nav-item col-auto py-0"> <a href="/administration/overview/" class="nav-link text-light fs-10 p-0"> IETF LLC </a> </li> <li class="nav-item col-auto py-0"> <a href="https://www.rfc-editor.org" class="nav-link text-light fs-10 p-0"> RFC Editor </a> </li> <li class="nav-item col-auto py-0"> <a href="https://www.iana.org" class="nav-link text-light fs-10 p-0"> IANA </a> </li> <li class="nav-item col-auto py-0"> <a href="https://www.iab.org" class="nav-link text-light fs-10 p-0"> IAB </a> </li> <li class="nav-item col-auto py-0"> <a href="https://www.irtf.org" class="nav-link text-light fs-10 p-0"> IRTF </a> </li> <li class="nav-item col-auto py-0"> <a href="https://trustee.ietf.org" class="nav-link text-light fs-10 p-0"> IETF Trust </a> </li> </ul> </div> </div> </footer> <script> [... document.querySelectorAll("footer section")].forEach((section) => { const heading = section.querySelector("h4"); heading.addEventListener("click", () => { const expanded = section.classList.toggle("expanded"); heading.setAttribute("aria-expanded", expanded); }); }); </script> <script>window.staticRoot = "/static/dist/";</script> <script type="text/javascript"> var _paq = window._paq || []; _paq.push(['disableCookies']); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//analytics.ietf.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', 1]); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script> <noscript><p><img src="//analytics.ietf.org/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript> <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8ec5eb5dec4c9c6b',t:'MTczMzI1MzY4My4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body></html>

CINXE.COM

IETF | Reporting Protocol Vulnerabilities to the IETF