A Word on Security Vulnerability Reporting

I thought I’d do a follow up quick post to mention about the next thing I’m working on not just for FreePBX but for Sangoma as well: Security Vulnerability Reporting!

I know in the past that there has been speculation about security vulnerability reporting (and bug bounty program) with FreePBX and I am aiming to resolve such things going forward ensuring transparency, timely responses, and clear process. This will of course be leveraging things we’ve learned and implemented in the Asterisk project.

I’m aiming to have all the pieces into place sometime in January and will be doing an additional blog post then to talk about it, so look forward to it!


Would be great to have some detail included concerning firewall rules / iptables rules. What I needed in the past - and hopefully realized manually - is a geoip blocking for sip and tls ports. Not really shure how and whether there is a need for rtp also. And in addition to be prepared for nft-tables once iptables will become end of life.

This topic was automatically closed after 30 days. New replies are no longer allowed.

To follow up on this I’ve now released this for FreePBX in collaboration with that team, I was hoping to have it done sooner but vacation for many got in the way. @lgaetz will be doing a blog post about it in the future, but security reporting is now available at Security Overview · FreePBX/security-reporting · GitHub allowing people to securely and privately report security vulnerabilities and have it be handled by the FreePBX team. The policy is also present there.

[edit - blog about updated security policy here]