Invitation to Responsible Security Researchers
We specifically invite and welcome the scrutiny and participation of responsible security researchers. Please, inspect the code, abuse the APIs, fuzz the sockets, and attack the network traffic.
If you are a security research organization, we invite you to contact us even before you have anything to report, so we can set up a working relationship, and exchange keys.
Please report discovered vulnerabiltites to the NTPsec security team.
This team email forwards to a very small cadre of the internal NTPsec staff.
You may GPG encrypt your report. Our GPG key can be found on the well known keyservers, and has the following id and fingerprint:
pub 4096R/477C7528 2016-04-14 [expires: 2019-04-14] Key fingerprint = DA3F DF77 4CC7 0FA6 4729 EC45 05D9 B371 477C 7528 uid NTPsec Security Reporting <firstname.lastname@example.org>
The following key was revoked on 2016-04-13:
pub 4096R/CC282DBE 2015-09-29 [expires: 2018-09-13] Key fingerprint = B09A 8CAB E180 EC66 4CC5 11D8 2A7C 3E36 CC28 2DBE uid NTPsec Security Reporting <email@example.com>
Our Responsiveness Goals
Our goal is to ack receipt within 24 hours; verify each potential vulnerability within 3 days; and if the vulnerability is a significant network risk, such as remote execution, denial of service, network amplification, or corruption of time reporting, develop a fix within 7 days.
Our experience so far is that we are much faster than that.
Our Responsible Disclosure Policy
Our responsible disclosue policy is very closely modeled on the CERT Vulnerability Disclosure Policy:
Vulnerabilities reported to the NTPsec security team will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. Disclosures made by the NTPsec security team/CC will include credit to the reporter unless otherwise requested by the reporter. We will apprise any affected vendors of our publication plans and negotiate alternate publication schedules with the affected vendors when required.
It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.
Vulnerabilities reported to us will be forwarded to the affected vendors as soon as practical after we receive the report. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. We will advise the reporter of significant changes in the status of any vulnerability he or she reported to the extent possible without revealing information provided to us in confidence.