On 6/22/25 11:44 AM, JustCoding247 wrote:
I am writing to inquire about the proper procedure for reporting a
potential security vulnerability I have discovered in Net-SNMP.
While analyzing the Net-SNMP source code, I have identified what appears
to be a buffer overflow vulnerability in the network statistics
functionality. To follow responsible disclosure practices, I would like
to report this issue privately to the project maintainers before any
public disclosure.
Could you please advise on the preferred method for submitting detailed
vulnerability reports? Specifically, I would like to know:
1. Is there a dedicated security contact email or private reporting channel?
2. What information should be included in the vulnerability report?
3. What is the typical timeline for security issue resolution?
I can provide:
- Detailed technical analysis of the vulnerability
- Affected code locations and line numbers
- Potential impact assessment
- Suggested fix/patch recommendations
- Proof-of-concept code (if needed)
I understand the importance of responsible disclosure and am committed
to working with the project team to address this issue appropriately.
Thank you for your time and guidance. I look forward to your response.
My answers to your questions are as follows:
1. Please send the report to net-snmp-adm...@lists.sourceforge.net.
2. Any information that allows us to root-cause and/or reproduce the bug
is fine. Providing a suggested fix will help to get the issue to be
addressed more quickly. Proof-of-concept code isn't required but if
it can be provided under a BSD license then we can add it to the test
suite.
3. Net-SNMP is maintained by a team of volunteers so there are no hard
guarantees for the resolution time. How quickly the reports gets
addressed will depend on the severity of the reported issue.
Thanks,
Bart.
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
