Security Contact

The FreeRADIUS security contact is security@freeradius.org. All security related information or notifications should be sent to that address. Security notifications may be signed with the pgp key aland@freeradius.org

FreeRADIUS Security

We do our best to ensure that the server has no security problems. The tools we use to help ensure security are:

These practices are not perfect. The test suite is growing, but does not cover all of the servers functionality. As a result, the latest releases may still have bugs. The version 2 "stable" release undergoes less code churn, and is the "long term support" stable and bug-free release. The version 3 "feature" release has significantly more code churn, and therefore may have more issues than version 2

Security of the RADIUS Protocol

The security papers page lists some general issues with RADIUS security.

Vulnerability Notifications

Non-Vulnerability Notifications

Some "vulnerability" notifications issued for FreeRADIUS are, in fact, non-issues. These notifications are usually sent by the originator to various security lists, without first notifying us. This practice is problematic, because it does not give us the opportunity to respond, or to correct the underlying problem before it can be exploited.

We therefore recommend that anyone finding a potential issue with FreeRADIUS contact us using the security contact information listed above. We will work with you to issue a coordinated statement about the problem.

People who do not contact us, and who issue "vulnerabilities" that are not real vulnerabilities get listed below. This affords us the opportunity to give an official response in a public forum.