Community
Sign InGet Started for FreeBook a Demo

SECURITY REPORTS

Security Disclosure

If you believe you have found a vulnerability or security issue in the OpenVPN open source software or one of our OpenVPN commercial products, we appreciate a report with the relevant details. Please include information on what the issue is, how to reproduce it, and any potential impact. Do not use these addresses for any purpose other than reporting security issues.

Where you send your report depends on which product is affected;

Open source projects

Use this for OpenVPN2 and OpenVPN3 open source projects, OpenVPN GUI for Windows client, the OpenVPN protocol itself, and other open source clients (Tunnelblick, OpenVPN for Android).

Contact us at security@openvpn.net. You may encrypt your message with our security mailing list key with fingerprint F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7.

Commercial products

Use this for OpenVPN Access Server, OpenVPN CloudConnexa, OpenVPN Connect, and any website or infrastructure related items.

Reports should be sent directly to security@openvpn.com.

After receiving the report, OpenVPN will:

  • request the reporter to keep the information and communication of the vulnerability confidential;
  • verify the existence of the vulnerability and identify which releases are affected. When confirmed, we will assign a CVE ID to the issue;
  • release an updated version of the affected products resolving the issue as soon as possible. If it is not possible to resolve the issue within a reasonable time frame, identified workarounds might be published if that improves the situation in an acceptable way without putting users at risk;
  • include a reference to the reporter and/or its organization as part of the release notes, unless the reporter wishes to remain anonymous;
  • do its best to keep the reporter updated on the progress of the reported vulnerability.

What happens next

We acknowledge that it may in some cases take time before a release is made available. There are various reasons for this, related to vulnerability severity and how that connects to ongoing release work and how many products the issue may affect. This is not an attempt to delay a resolution but to ensure the required modifications have the proper quality, resolve the issue, and do not introduce regressions.

We thank you for being patient and for working with us towards a resolution.