/
LFN Vulnerability Reporting

LFN Vulnerability Reporting

Each LFN project maintains its own security policy and vulnerability reporting process. The authoritative source for how to report a vulnerability is always each project's own documentation. The sections below provide direct links and contacts for each active LFN project.

Do not report vulnerabilities as public GitHub issues, mailing list posts, or in Zulip. All projects request private disclosure to give the security team time to assess and patch before public disclosure.

If you are unsure where to report a vulnerability or cannot locate a project's security contact, please reach out to support@lfnetworking.org and the LFN Program Management team will route your report to the appropriate project security team.

You can also view automated vulnerability scanning results for LFN projects via the LFX Security Dashboard.

Graduated Projects

Nephio

Report to: sig-security@lists.nephio.org

Please include as much of the following as possible to help the security team triage your report:

  • Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting)

  • Full paths of the source file(s) related to the issue

  • Location of the affected source code (tag/branch/commit or direct URL)

  • Any special configuration required to reproduce the issue

The project security team will send an initial response within 3-5 days. The Nephio Security Response Committee holds final say on setting a public disclosure date.

FD.io

Report to: security@lists.fd.io (private list, accessible only to the FD.io security team)

Full vulnerability management process: wiki.fd.io/view/TSC:Vulnerability_Management

All versions of FD.io still supported by the project and affected by the reported issue are in scope. Security announcements are published to security-announce@lists.fd.io.

OpenDaylight

Report to: security@lists.opendaylight.org

Full security policy and advisory history: OpenDaylight Security Wiki

OpenDaylight has a well-established vulnerability management process and a history of rapidly addressing known vulnerabilities. Security announcements are published to security-announce@lists.opendaylight.org and opendaylight-announce@lists.opendaylight.org.

ONAP

Report to: The ONAP Vulnerability Management Subcommittee (VMS)

Full vulnerability management process: wiki.onap.org -- ONAP Vulnerability Management

ONAP has a formal vulnerability management subcommittee approved by the ONAP TSC. All ONAP projects are in scope. Patches are developed for the latest release and the master branch.

Anuket

Anuket does not currently maintain a dedicated security mailing list. To report a vulnerability privately, please contact the Anuket TSC directly via the TSC mailing list. Mailing list links can be found on the Anuket Wiki.

If you are unable to reach the TSC or are unsure of the correct contact, please reach out to support@lfnetworking.org and the LFN Program Management team will assist in routing your report.

Incubation, Sandbox, and Candidate Projects

For projects at earlier lifecycle stages (L3AF, CNTi, Paraglider, 5G Super Blueprint, Duranta, Essedum), dedicated security mailing lists may not yet be established. Please follow these steps:

  1. Check the project's GitHub repository for a SECURITY.md file in the root, docs/, or .github/ folder.

  2. Contact the project's TSC mailing list for private disclosure if no dedicated security contact is documented. TSC mailing list links can be found on each project's wiki page in the LFN Project Communities table.

  3. If still unsure, contact support@lfnetworking.org and the LFN PM team will route your report appropriately.

General Guidance

What to include in a vulnerability report:

  • A clear description of the vulnerability and its potential impact

  • The affected project, component, version, and repository

  • Steps to reproduce the issue

  • Any relevant logs, screenshots, or proof-of-concept code

  • Your preferred method of contact for follow-up

What to expect after reporting:

  • An acknowledgment from the project security team, typically within a few business days

  • A private tracking issue or ticket will be created to manage the disclosure process

  • The security team will work with you to confirm the issue, develop a fix, and agree on a public disclosure date

  • You will be credited in the security advisory unless you prefer to remain anonymous

LFX Security Dashboard:

The Linux Foundation's LFX Security tool provides automated vulnerability scanning across LFN project repositories, including dependency vulnerability detection and license compliance scanning.

This page is maintained by the LFN Program Management team. If you notice outdated information or a project's security contact has changed, please contact support@lfnetworking.org.