The project is eager to work with the community to resolve security vulnerabilities in Zeek. The project strives to address security concerns in a timely manner and to properly acknowledge the contributor(s). Follow these steps to report a vulnerability:
- Please do not publicly disclose the vulnerability until the project has an opportunity to review and address the issue.
- Whenever possible, use the the PGP key below to ensure the message is encrypted.
- Email firstname.lastname@example.org with a description of the bug, the version of Zeek to which it applies, and any other necessary details to help diagnose the problem.
- The Zeek development team will confirm receipt of the report within two business days. It may take additional time to correct the issue.
- If an update is necessary the reporter will receive an acknowledgment in the Zeek distribution CHANGES file.
PGP Encryption Key
The following PGP encryption key is used specifically for reporting security vulnerabilities:
pub rsa4096/0xA7D41CE47ADF36F3 2015-01-05 [SC] [expires: 2022-01-21] B0A23534168BD61E53ADAF00A7D41CE47ADF36F3 uid Zeek Security Team <email@example.com> uid Bro Security Team <firstname.lastname@example.org> sub rsa4096/0x7F8742982A569E09 2015-01-05 [E] [expires: 2022-01-21]
To get the key, follow this link, or retrieve it from any of the standard key servers.
Thank you for supporting Zeek’s security!