• New Internet Architecture Board, IETF Trust, IETF LLC and Internet Engineering Task Force Leadership Announced

    Members of the incoming Internet Architecture Board (IAB), the IETF Trust, the IETF Administration LLC (IETF LLC) Board of Directors, and the Internet Engineering Steering Group (IESG)—which provides leadership for the Internet Engineering Task Force (IETF)—have been officially announced, with new members selected by the 2021-2023 IETF Nominating Committee.

      13 Feb 2023

    • Informing the community on third-party correspondence regarding the W3C

      In accordance with our policy of transparency, this blog post is being published in order to keep the community informed about recent correspondence with lawyers acting on behalf of the Movement for an Open Web.

      • Lars EggertIETF Chair
      8 Feb 2023

    • Six Applied Networking Research Prizes Awarded for 2023

      Six network researchers have received Internet Research Task Force Applied Networking Research Prize (ANRP), an award focused on recent results in applied networking research and on interesting new research of potential relevance to the Internet standards community.

      • Grant GrossIETF Blog Reporter
      9 Jan 2023

    • Travel grants allow Ph.D. students to participate at IETF meeting in-person

      Sergio Aguilar Romero and Martine Sophie Lenders, both Ph.D. students in technology fields, attended and participated in the IETF 115 meeting in London with assistance through travel grants from the Internet Research Task Force.

      • Grant GrossIETF Blog Reporter
      7 Jan 2023

    • Impressions from the Internet Architecture Board E-Impact Workshop

      The IAB ran an online workshop in December 2022 to begin to explore and understand the environmental impacts of the Internet. The discussion was active, and it will take time to summarise and produce the workshop report – but the topic is important, so we wanted to share some early impressions of the outcomes.

      • Colin PerkinsIAB Member
      • Jari ArkkoIAB Member
      6 Jan 2023
    • Show all

    Filter by topic and date

    Filter by topic and date

    Reporting Protocol Vulnerabilities

    • Roman DanyliwSecurity Area Director

    22 Mar 2021

    The Internet Engineering Task Force recognizes that security vulnerabilities will be discovered in IETF protocols and welcomes their critical evaluation by researchers. After consulting with the community, the Internet Engineering Steering Group (IESG) recently provided guidance on how to report vulnerabilities to ensure they are addressed as effectively as possible.

    vulnerability alert

    The full set of guidance is the best source for all the information about how to report vulnerabilities in IETF protocols, but a few details are worth highlighting.

    First, the process covers vulnerabilities in protocols or other specifications in documents, such as RFCs, published by the IETF. Security issues in specific products, software, or services that implement the protocols must be addressed by the providers or maintainers of those specific products or services. The IETF does not have any formal means of contacting those parties. Vulnerabilities in any infrastructure or services that support the IETF, IRTF and IAB (such as those associated with the ietf.org, iab.org, irtf.org and rfc-editor.org domains) are the responsibility of the IETF Administration LLC, which has its own vulnerability disclosure policy.

    Second depending on the nature of the report, there may be specific steps a reporter can take to expedite its handling, as detailed in the vulnerability reporting guidance. For published RFCs or Internet-Drafts (I-Ds) currently under consideration by an active working group, the working group is the proper forum to address the issue. For individuals Internet-Drafts, contact the document author(s). For working group I-Ds or RFCs for which there is no active working group, the general reporting email address can be used.

    Finally, while the IETF values critical analysis of its work, it does not pay “bug bounties” for reported vulnerabilities. IETF processes for creating and maintaining protocol specifications are open and transparent with meeting and mailing list archives publicly available. The protocol vulnerability reporting guidance provides more detail about further considerations, including how complex or severe vulnerabilities might be addressed.

    While the preferred approach to reporting IETF protocol vulnerabilities is to contact the person or group responsible for the document, as a last resort, reports can always be  sent by email to protocol-vulnerability@ietf.org. The IETF Security Area Directors will make their best effort to triage the report. We hope this guidance helps maintain and improve the security of the protocols and specifications on which the global Internet is built.

    Share this page