6

I have found a security issue in Tor which allows for information leakage in certain scenarios. I went to report this to the Tor project, but found nothing more than a bug tracker, and no obvious documentation of a procedure to report significant security issues. Even web searches just led me back and forth between the bug tracker and Wikipedia, which is rather useless.

While I discovered that the issue I found is already in the bug tracker, it has been there for over a month with no apparent attention paid to it, and was not in any way marked as a security issue.

What is the best way to get Tor project members' attention for this issue? (And, in my case, to do so anonymously?)

cypherpunks
  • 63
  • 2

1 Answers1

1

The Tor Project maintains several email accounts and mailing lists. The table at administrative lists shows the mailing list tor-security. So tor-security@lists.torproject.org is the contact address you're looking for.

There is a trac entry which discusses a documented way to report vulnerabilities (see #9186). It was discussed to create a OpenPGP key for the list tor-security, but as far as I see it there is none yet.

So when you want to report security issues you should send a private encrypted mail to Nick Mathewson, Andrea Shepard or Roger Dingledine using their GnuPG key.

Jens Kubieziel
  • 8,630
  • 5
  • 35
  • 116