https://pbs.proxmox.com/mediawiki/index.php?action=history&feed=atom&title=Security_Reporting 2026-04-26T04:31:55Z Revision history for this page on the wiki MediaWiki 1.43.8 https://pbs.proxmox.com/mediawiki/index.php?title=Security_Reporting&diff=78&oldid=prev 2022-09-12T07:23:17Z

<p>Created page with &quot;Proxmox Server Solutions takes security seriously. As such, we&#039;d like to know when a security bug is found so that it can be fixed and disclosed in a timely manner. Note that...&quot;</p> <p><b>New page</b></p><div>Proxmox Server Solutions takes security seriously.<br /> As such, we&#039;d like to know when a security bug is found so that it can be fixed and disclosed in a timely manner.<br /> <br /> Note that we only support the latest point release, where the version is not yet EOL (End of Life). So, before reporting, please verify that the issue is present in a release that is still supported.<br /> For that, consider the following support timeline tables:<br /> <br /> * Proxmox VE: https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table<br /> * Proxmox Backup Server: https://pbs.proxmox.com/docs/faq.html#how-long-will-my-proxmox-backup-server-version-be-supported<br /> * Proxmox Mail Gateway: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#faq-support-table<br /> <br /> == Contact ==<br /> <br /> Please report security bugs to the Proxmox security team by email at &lt;[mailto:security@proxmox.com security@proxmox.com]&gt;.<br /> <br /> Include all relevant information required to reproduce the issue.<br /> <br /> Any exploit code is considered helpful - we will treat such samples as private and won&#039;t publish them.<br /> If you or your organization already assembled a fix and has signed [https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright our CLA] please send that along as patch, as that can speed up the process considerably.<br /> <br /> Please send plain text emails without attachments where possible.<br /> It is much harder to have a context-quoted discussion about a complex issue if all the details are hidden away in attachments.<br /> <br /> We will normally send out an initial confirmation mail about the reception of a report within the next (Austrian) business day.<br /> <br /> If you must send highly confidential information you may use the following public GPG key, with fingerprint &lt;code&gt;E679 2AA6 98E1 1855 375A B9E3 5D0C BD43 61F2 04C5&lt;/code&gt; to encrypt the message.<br /> &lt;pre&gt;<br /> pub rsa4096 2022-09-01 [expires: 2032-08-29]<br /> E6792AA698E11855375AB9E35D0CBD4361F204C5<br /> uid Proxmox Security Team &lt;security@proxmox.com&gt;<br /> <br /> -----BEGIN PGP PUBLIC KEY BLOCK-----<br /> <br /> mQINBGMQ2moBEACiyToARfkvOCeCTB8f5vVFSBJ5Shh7RUSXt4UQLa/FMjFKp9ZA<br /> YV6n3kcLkLOxZGFMruI7zlQD31tu2pApPP8NKCjeZwg2dqS72F29xQdDDY4UlxjX<br /> T5UckNtKY6Uqlarrd2cMFL5bUsM47LaTt/EtBFdhl4YiW2i6Z7FtR2MKZtEZnb3s<br /> x31XrWUh9mGyJ+gZyHmNOn9HrUf4LCo+HDqirAMiuJiVnCHVIbhOgVf1jHNuYfKU<br /> cyaxXbhfqdWuWkc0K7+2+ClaiKrifEbQ56SbnrYEmCOl2WB1vF4GuPCN4rRByLBa<br /> cfI1GQlChZtXBpDKwZYTm4OxUfouRb7F1Dc19zejqSUHO+rCKseXMM45YSs48jJU<br /> LYjSa7FQTaHjpN1M7Zoz/P5bgbBd4pAXF5BdBekuQRc0P3VzTLISDXKTSJ6mvTk3<br /> hcMk7Wr6KGeUt0ftP1AblRvGdeQ8w8VVgEqc+yAozFguRTUmpvEo+714Ak+MyFm8<br /> FXMdwRetnJ7IVsPxaQIzHjWoWPGAKhXecmi/uLC8caU4+vlNsFT87GMz7mOuyDhK<br /> n+8fIbn7IRvuJXjQB73eQS+My+9jLGK6UjIAz8MmA0LumZ6sfunevAyDqSc/lGkc<br /> Jcore+Qb3AC0excFCbgND31+i/iJHXIbSe7Fra/9zN+GodAjnXnQn2HHLQARAQAB<br /> tCxQcm94bW94IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHByb3htb3guY29tPokC<br /> VAQTAQoAPhYhBOZ5KqaY4RhVN1q5410MvUNh8gTFBQJjENpqAhsvBQkSzAMABQsJ<br /> CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEF0MvUNh8gTFkvwP/0B+RNoTHbMRaaNz<br /> RGl6sAshc6DOxCqxjCibWfiRr0pXADzL+NdNDyRsPY+i9Q+QQukF1PvPx9HBf4bu<br /> 3gcJ5cVbi9/nYH4BiWNM0z8HDoYto3PpCDLK944dbUV4OfnYp3rp8GkMLq7CUB9l<br /> Hji7m63bGXuB+Rc/iEFoNKXtYh7fZIq8WiWDwOVdyslc/wC3RjbEPhXts3SHntXl<br /> y5Qdr1WEcFLW6GjfMUeJR5Oy3XccfKVPKhoNgGqrUqaN0PCQsQWCJ6czc0uGzP1p<br /> EFu8ct5C71/iZ0eak84SRf8cQxN2gwTb40rAkNIq3msCT8oaSc2vZQ0X+S0+Abq4<br /> 5YOkNlCQB9f7XOKCTajjiYlElXw4H4X0uO4uKQbCBeXBI3HktivpQ1rEadXJiCl/<br /> eayeN6nBdOkupev73g3xVXCyI+QFd4IVufTqi1m857f3dNv/suHLj/Upd6q8rmqq<br /> M5s+e+3qUiAhEoB7sSCsXCh60SnDGYHsRa33F2Fz8pPpmuboW55z8OOaAgrVt/TB<br /> oZJdTzUCx77HXKMvlulZkjfuWzOB+qh6CR+bzNWzVyD3yYpNbH0UF+vBZ3sYb7Al<br /> /rAorlMz/gybSdrilHoxz2w9grcrTg6jk/dLwesCm1bzJKznEFVHQv/Mk+Kt+ZQ4<br /> /pfx41HDLtAoGfQBWxjy8n2Qrk8l<br /> =UVAu<br /> -----END PGP PUBLIC KEY BLOCK-----<br /> &lt;/pre&gt;<br /> <br /> Additionally available to download in binary format from [https://enterprise.proxmox.com/debian/security-report.gpg.pub the enterprise CDN].<br /> <br /> == Disclosure and Embargoed Information ==<br /> <br /> Once a robust fix has been developed, the release process starts.<br /> Proxmox Server Solutions will release fixes for publicly undisclosed bugs as soon as they become available, but we can hold back sensible information from commits and change logs at the requests of the reporter or an affected party.<br /> <br /> == CVE assignment ==<br /> <br /> The security team does not normally assign CVEs, nor do we require them for reports or fixes, as this can needlessly complicate the process and may delay the bug handling.<br /> <br /> We would still appreciate if you notify us about any assigned ID, for coordination and communication purpose.</div>

Tlamprecht