Some specific things not to report to libssh!
- libssh is a public open source project, so we have a public git web instance at https://git.libssh.org. This is intentional, please do not report this (again).
- Directory listings on https://www.libssh.org/files/ and https://www.libssh.org/security/ are intentional. We want the content to be public.
- The security keys in the tests/ directory in source tarball or git repository are intentional and only used for testing.
- Hard coded secrets in the example/ directory in the source tarball or git repository are intentional.
Reporting Security Defects in libssh
Please report all security defects to security@libssh.org and never on IRC, matrix, public mailing lists or in our Bug Tracker. If your vulnerability meets the eligibility criteria you can request a bug bounty.
You can find details about our security process here. We can also suggest the talk from Jeremy Allison about Handling Security Flaws in an Open Source Project.