On 6/22/25 11:44 AM, JustCoding247 wrote:
I am writing to inquire about the proper procedure for reporting a potential security vulnerability I have discovered in Net-SNMP.

While analyzing the Net-SNMP source code, I have identified what appears to be a buffer overflow vulnerability in the network statistics functionality. To follow responsible disclosure practices, I would like to report this issue privately to the project maintainers before any public disclosure.

Could you please advise on the preferred method for submitting detailed vulnerability reports? Specifically, I would like to know:

1. Is there a dedicated security contact email or private reporting channel?
2. What information should be included in the vulnerability report?
3. What is the typical timeline for security issue resolution?

I can provide:
- Detailed technical analysis of the vulnerability
- Affected code locations and line numbers
- Potential impact assessment
- Suggested fix/patch recommendations
- Proof-of-concept code (if needed)

I understand the importance of responsible disclosure and am committed to working with the project team to address this issue appropriately.

Thank you for your time and guidance. I look forward to your response.

My answers to your questions are as follows:
1. Please send the report to net-snmp-adm...@lists.sourceforge.net.
2. Any information that allows us to root-cause and/or reproduce the bug
   is fine. Providing a suggested fix will help to get the issue to be
   addressed more quickly. Proof-of-concept code isn't required but if
   it can be provided under a BSD license then we can add it to the test
   suite.
3. Net-SNMP is maintained by a team of volunteers so there are no hard
   guarantees for the resolution time. How quickly the reports gets
   addressed will depend on the severity of the reported issue.

Thanks,

Bart.


_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to