Skip to content

Vulnerability Reporting

Jeremy Stretch edited this page Jul 10, 2024 · 1 revision

Per our security policy, all potential vulnerabilities must be reported via email to security@netboxlabs.com.

Initial triage of vulnerability reports is handled by the NetBox Labs support team, and valid reports are forwarded to the NetBox maintainers team for further investigation. A NetBox maintainer will then:

  • Validate the reported vulnerability
  • Determine its impact and severity
  • Create a (private) draft GitHub security advisory
  • Coordinate with other maintainers to devise and implement a solution

Once implemented, the solution will be shipped in the next stable release of NetBox. Particularly severe issues may warrant immediately releasing a new version of NetBox. Security advisories will be published after a stable release containing the fix has been available for some time.

Please note that we do not issue or respond to CVEs, as these reports are entirely unmoderated and often inaccurate, redundant, and/or overstated with regard to actual impact on the product. (This article explores the challenges of dealing with nuisance CVEs.)

Clone this wiki locally