Skip to content

Security: sipXtapi/sipXtapi

SECURITY.md

Security Policy

Reporting a Vulnerability

If you believe you have found a security vulnerability in sipXtapi, please report it privately so it can be triaged and fixed before public disclosure.

Please include:

  • the affected component (STUN, RTP, RTCP, DNS resolver, etc.) and file(s),
  • a description of the issue and its impact,
  • steps to reproduce or a proof-of-concept if available,
  • any suggested remediation.

We aim to acknowledge new reports within a few business days. Please give us a reasonable opportunity to release a fix before disclosing the issue publicly.

Supported Versions

sipXtapi is developed on the master branch, and fixes are delivered there. Security fixes are not backported to older tags; users are encouraged to track master (or the latest release) to receive them.

Disclosure and Advisories

Fixed vulnerabilities are documented as GitHub Security Advisories (GHSAs) for this repository, with CVE identifiers assigned through GitHub's CNA. Published advisories are listed on the Security Advisories page and flow into the GitHub Advisory Database so downstream users are notified.

Acknowledgments

We thank the following researchers for responsibly reporting security issues:

  • Tristan Madani — a set of pre-authentication memory-safety issues in the STUN, RTP, RTCP, and DNS response parsers (heap out-of-bounds reads/writes and integer underflows), reported in 2026.

There aren't any published security advisories