If you have found a security vulnerability in tinc, please email [email protected] directly. You can encrypt the email using PGP if desired. We will try to respond within 48 hours. If there is no response, try to contact us via alternate means listed at https://www.tinc-vpn.org/contact/.

We greatly prefer to use the responsible disclosure model. After we have been contacted about a potential vulnerability, we will do the following:

• Confirm the problem and determine the affected versions.
• Register a CVE number.
• Prepare a fix for all affected versions of tinc.
• Coordinate a release of the fix with Linux and BSD distributions.
• Disclose the vulneratbility after the fix has been released and any agreed upon embargo period has expired.

Currently we support the 1.0.x and 1.1.x branches of tinc.