HGKeeper

<?php

// Update these to match the current page.

$page['title'] = "Pidgin, libpurple, and finch security and vulnerabilities";

$page['section'] = "Security";

$page['description'] = "Security and vulnerability contact and process information for Pidgin and related projects.";

include($_SERVER['DOCUMENT_ROOT'] . "/../inc/header.inc");

include($_SERVER['DOCUMENT_ROOT'] . "/../inc/version.inc");

<h1>Pidgin Security</h1>

<p>Being a network client which interacts with untrusted users and

servers, managing vulnerabilities and security response is important to

the Pidgin project and to our users. We have established procedures for

collecting security-related information, and for disclosing this

information to the public.</p>

<p>Please see our comprehensive <a href="/news/security/">list of known

and reported security advisories</a> for information on past

vulnerabilities.</p>

<h2>Reporting a Security-related Issue</h2>

<p>If you believe you have discovered a security problem or vulnerability

in Pidgin, libpurple, finch, or one of our related projects, please let

us know by emailing

<a href="mailto:security@pidgin.im">security@pidgin.im</a>.</p>

<p>In order to help us fix the problem as quickly as possible and with

as little exposure to malicious intent to our users as can be managed,

we ask that you give us a chance to fix the problem before you publish

its existence or details in a public forum, and that you provide us with

as much information as you can. In return, we will endeavor to respond

to your concerns in a timely fashion. When reporting a security-related

bug or a vulnerability, please provide us with as much of the

information in the following list as possible. If you don't know what

something is or how to provide it, that's OK, leave it out and tell us

what you do know.</p>

<ul>

<li><p>A way to contact you or your organization.</p></li>

<li><p>The version of Pidgin, libpurple, finch, or other package in

which the problem was discovered.</p></li>

<li><p>A concise description of the problem, including a summary of

why you believe it is security-critical. This might be, for example,

"Receipt of an invalid XMPP message containing the tag <foo>

causes Pidgin to write data to an invalid memory location."</p></li>

<li><p>Steps to reproduce the problem, if known.</p></li>

<li><p>Any debugging information, including backtraces

(see <a href="https://developer.pidgin.im/wiki/GetABacktrace">our

instructions for obtaining a backtrace</a>), a debug log (the output

of pidgin -d), etc.</p></li>

<li><p>Any proof of concept exploits, debugging tools, or other

information you have and are willing to divulge.</p></li>

<li><p>The oldest and newest versions of our software affected by the

bug <em>to the best of your knowledge</em>. If you don't know,

that's fine — we'll try to find out.</p></li>

<li><p>Information on any security reports or vulnerability

assessments you may have already made on the issue (preferably not

yet public, as mentioned above).</p></li>

<li><p>Any proposed embargo dates, release schedules, etc. you or your

organization may have established.</p></li>

</ul>

<h2>Receiving Security-related Reports</h2>

<p>We maintain a list of packagers and maintainers of Pidgin and related

software which we notify of security vulnerabilities and their fixes

prior to disclosure to the public. This allows packagers and

distributors of our software to release patched or updated versions

simultaneously with the public disclosure of known issues. We attempt

to provide sufficient advance warning to this list that packages may be

properly prepared before disclosure.</p>

<p>If you believe you should be on this list, please

contact <a href="mailto:security@pidgin.im">security@pidgin.im</a> and

let us know why.</p>

</div>

<?php include($_SERVER['DOCUMENT_ROOT'] . "/../inc/footer.inc"); ?>

pidgin/old.pidgin.im