# Security Policy

## Reporting a vulnerability

Please put detailed report to
https://github.com/iputils/iputils/security/advisories
or send a detailed mail to pvorel at suse.cz and david at ixit.cz
report vulnerabilities in iputils.

Even when unsure whether the bug in question is an exploitable
vulnerability, it is recommended to send the report to
https://github.com/iputils/iputils/security/advisories or/and
pvorel at suse.cz and david at ixit.cz (and obviously not to discuss the
issue anywhere else).

Vulnerabilities are expected to be discussed _only_ there, and not in public,
until the official announcement.

Examples for details to include:

- Ideally a short description (or a script) to demonstrate an
  exploit.
- The affected platforms and scenarios (the vulnerability might
  only affect setups with case-sensitive file systems, for
  example).
- The name and affiliation of the security researchers who are
  involved in the discovery, if any.
- Whether the vulnerability has already been disclosed.
- How long an embargo would be required to be safe.

## Supported Versions

There are no official "Long Term Support" versions in iputils.

Fixes to vulnerabilities are made for the latest iputils version
and usually can be backported to the older releases.