Some specific things not to report to libssh!
- libssh is a public open source project, so we have a public git web instance at https://git.libssh.org. This is intentional, please do not report this (again).
- Directory listings on https://www.libssh.org/files/ and https://www.libssh.org/security/ are intentional. We want the content to be public.
- The security keys in the tests/ directory in source tarball or git repository are intentional and only used for testing.
- Hard coded secrets in the example/ directory in the source tarball or git repository are intentional.
Reporting Security Defects in libssh
Please report all security defects to and never on IRC, matrix, public mailing lists or in our Bug Tracker. If your vulnerability meets the eligibility criteria you can request a bug bounty.
You can find details about our security process here. We can also suggest the talk from Jeremy Allison about Handling Security Flaws in an Open Source Project.