The Tcpdump Group participates in MITRE's CVE Program as a CNA with the scope limited to tcpdump and libpcap vulnerabilities. Any involvement with vulnerabilities in other software can be considered on a case by case basis only if the software is closely related to packet capture and analysis and if the case does not belong to the scope of another CNA.

All vulnerabilities must be reported to The Tcpdump Group via [email protected]. Please try to keep as close to a responsible disclosure process as is reasonably practicable. Vulnerabilities that have been deliberately made public by the reporter will not be credited.

Vulnerabilities will be disclosed to the public at the next release of the software that experiences the problem.

As a volunteer-run open source software organization, The Tcpdump Group can not promise to release within a set period like 90 days.

The Tcpdump Group aims to release at least once a year. This is a best effort commitment. We will attempt to ship more often but this will depend upon availability of volunteer time and the amount of other work in need of attention.

Each release will do its best to credit the reporter with the identifying of the vulnerability. Each confirmed unique issue that applies to a release will be assigned a CVE number at the time of reporting. You can find a list of the most recently processed CVEs here.

Bug reports should include a sample .pcap (or .pcapng) file that demonstrates the problem. An effort will be made to keep the sample file confidential until the bug has been fixed. Once fixed, the sample file is expected to be released publicly as part of a test case.