This is an old revision of the document!
A security vulnerability is when a user of Kamailio can cause Kamailio to crash or lock up by sending messages to the server process.
If you believe there's a security vulnerability, please don't use the public forums. Send e-mail to email@example.com and the issue will be handled properly.
1. Send an e-mail to firstname.lastname@example.org and include the following information
2. A member of the Kamailio Security Team will respond 3. The kamailio developer team will work to solve the issue. When there is a patch for the issue, it should NOT be committed directly. It should be coordinated with the release of a security release as well as the publication of a Kamailio project security vulnerability report.
Kamailio will publish security vulnerabilities, including an CVE ID, on the kamailio-announce mailing list, sr-users as well as related lists.
A Kamailio Security team should be appointed with core developers of the project. These individuals will be part of the security process and review patches and text for the vulnerability report. Two persons should take the role of Kamailio Security Officers. One of these should manage each security incident - which does not mean solving the code issue, but managing the process from report to publication and patch release.
This address should have a PGP key associated, used by the security officers.