Table of Contents
When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally making a public announcement.
Institutional Members receive advanced notification of security vulnerabilities.
Security Patch Policy
When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.
Premier and Partner Members receive early access to security patches.
Reporting Security Issues
Security related bugs, confirmed or suspected, are to be reported by email to email@example.com.
Do not disclose details with unencrypted email. We will exchange PGP keys for further discussion.
You can use our NTP Security Officer Key for reporting issues you have verified as security-related.
Please refrain from discussing potential security issues in public fora such as comp.protocols.time.ntp, our Bug Tracking system, firstname.lastname@example.org, or any mailing list.
Known Vulnerabilities by Release Version
The following releases provided fixes for at least one security vulnerability. The table for each release provides an entry for each security issue (click its hyperlink to read the details for the vulnerability), indicates the issue’s severity, and provides the dates of advance notification to institutional members, advance release to premier and partner institutional members, and public release.
Refer to the Release Timeline for a complete list of all releases, their public release dates, release announcements, and changelogs.
Click to hide release list