Security Reporting

Security Reporting 

The project is eager to work with the community to resolve security vulnerabilities in Zeek. The project strives to address security concerns in a timely manner and to properly acknowledge the contributor(s). Follow these steps to report a vulnerability:

  • Please do not publicly disclose the vulnerability until the project has an opportunity to review and address the issue.
  • Whenever possible, use the the PGP key below to ensure the message is encrypted.
  • Email security@zeek.org with a description of the bug, the version of Zeek to which it applies, and any other necessary details to help diagnose the problem.
  • The Zeek development team will confirm receipt of the report within two business days. It may take additional time to correct the issue.
  • If an update is necessary the reporter will receive an acknowledgment in the Zeek distribution CHANGES file.

PGP Encryption Key

The following PGP encryption key is used specifically for reporting security vulnerabilities:

pub   rsa4096/0xA7D41CE47ADF36F3 2015-01-05 [SC] [expires: 2022-01-21]
      B0A23534168BD61E53ADAF00A7D41CE47ADF36F3
uid                   Zeek Security Team <security@zeek.org>
uid                   Bro Security Team <security@bro.org>
sub   rsa4096/0x7F8742982A569E09 2015-01-05 [E] [expires: 2022-01-21]

To get the key, follow this link, or retrieve it from any of the standard key servers.

Thank you for supporting Zeek’s security!