Security Reports

Security Disclosure

If you believe you have found a vulnerability or security issue in one of our OpenVPN products, we appreciate a report with the related details.

Such reports should be sent ENCRYPTED to security@openvpn.net using our PGP key with the fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7

After receiving the report, OpenVPN will:

  • request the reporter to keep the information and communication of the vulnerability confidential
  • verify the existence of the vulnerability and identify which releases are affected. When confirmed, we will assign a CVE ID to the issue.
  • release an updated version of the affected products resolving the issue as soon as possible. If it is not possible to resolve the issue within a
  • reasonable time frame, identified workarounds might be published if that improves the situation in an acceptable way without putting users at risk.
  • Include a reference to the reporter and/or its organization as part of the release notes, unless the reporter wishes to remain anonymous.
  • do its best to keep the reporter updated on the progress of the reported vulnerability.

What happens next:

We do acknowledge that it may in some cases take time before a release is made available. There are various reasons for that, which is related to vulnerability severity and how that is related to ongoing release work and how many products the issue may affect. This is not an attempt from us to delay a resolution but to ensure the required modifications have the proper quality, resolve the issue, and do not introduce regressions.

We thank you for being patient and for working with us towards a resolution.