NLnet Labs Security Patch Policy
Published 7 Aug 2013, version 1.0.2
This policy currently applies to:
The security of our software is important, and NLnet Labs gives
security considerations the highest importance. If a flaw is found we
intend to provide security patches, for free, to the general
public. Besides, we strive to be transparent about the nature, cause
and impact of security flaws. Since the announcement of a security flaw may
trigger the creation of exploits, we strive to balance transparency about
flaws with the impact exploits might have on the Internet and its
We will follow the following internal guidelines. However,
circumstances may force us to not apply this policy in full.
- End of support for the software by NLnet Labs will be publicly
announced two years in advance.
- All security vulnerabilities will be identified with a dedicated
CERT vulnerability tracking numbers.
- In general the security patches are distributed according to the
- Cat. 1:
- Supported Contacts and the party that reported the vulnerability, under non-disclosure.
- Cat. 2:
- Special Interest group, under non-disclosure.
- Well known high-level public interest entities
- Known Open Source platform OS-maintainers.
- Cat 3.:
- The general public.
- The time scale on which publish/distribute security patches
differently depending on the nature of the security issue. If the
issue is widely known or exploited at the moment we have developed a
patch (zero day) we intend to release the patch as soon as possible
to the widest audience possible, which collapses stages 1 through 3
above to the order of days.
If the issue is not yet public, we intend to release security
patches to the general public on a short timescale, of the order of
- If we cannot find a fix for the security vulnerability, we
obviously cannot provide code, and may seek assistance. In order to
prevent zero-day exploits information about (the existence of)
these types of vulnerabilities may only be shared under
non-disclosure with cat. 1, and if circumstances dictate with
- We provide patches for the latest released software version
i.e. the latest major, minor, patch level release.
- In general we provide support for the previous major release for
1 year after its deprecation. (We therefore also provide security
patches for major releases from one year past. A major release is
the increment in the first version number.)