At ntop we do our best to protect your security while providing you open-source products. In particular:
- Our open source code is on Github.
- Our public SVN server is accessible only through SSL so that you can verify the identity of our server.
- All our packages (available for CentOS and Debian/Ubuntu) are digitally signed with a PGP key that you can use to verify the integrity of our packages (you can learn more here and here).
- We try to write safe code, checking memory boundaries and minimising the use of administrative privileges during packet capture.
- We have contributed to various open-source security tools including Snort, Suricata and Bro where we have integrated our work to make these tools faster and thus more effective.
Nevertheless if you believe you have discovered a security issue, please send an email to email@example.com with information and detailed instructions on how to reproduce the issue. You can use our PGP key to communicate with us securely. Emails sent to firstname.lastname@example.org will be read and acknowledged with a non-automated response within three working days.
We promote the ethical disclosure of security bugs. For this reason, we kindly ask that security professionals act in good faith and follow
these simple principles:
- Share all available details, including proof-of-concept or any other artefact.
- Give us a reasonable time to fix or mitigate the issue before any public disclosures.