Security
The security of R-fx Networks projects and the infrastructure they protect is a top priority. We appreciate responsible disclosure of vulnerabilities and will work with you to address them promptly.
Reporting a Vulnerability
If you discover a security vulnerability in any R-fx Networks project (LMD, APF, BFD, or others), please report it privately. Do not open a public GitHub issue for security vulnerabilities.
PGP Encryption
For sensitive reports, encrypt your message using the PGP public key available at keybase.io/rfxn/pgp_keys.asc. You can also verify identity proofs on the Keybase profile.
What to Include
- Affected project and version (e.g. LMD 1.6.5, APF 9.7-3)
- Description of the vulnerability and its potential impact
- Steps to reproduce or proof-of-concept
- Suggested fix, if you have one
- Your preferred attribution name (or indicate if you prefer anonymity)
Response Timeline
Report
Send your report via encrypted message on Keybase or email. Include as much detail as possible.
Acknowledge
We will acknowledge receipt within 48 hours and begin triage.
Investigate
We will investigate, reproduce, and assess severity. We may reach out for additional detail.
Fix & Release
A patch will be developed, tested, and released. You will be credited unless you prefer anonymity.
Scope
This policy covers all R-fx Networks open source projects, including but not limited to:
Our Commitment
- We will acknowledge receipt of your report within 48 hours.
- We will provide an initial assessment of severity within 5 business days.
- We will not pursue legal action against researchers acting in good faith.
- We will credit reporters in release notes and changelogs unless anonymity is requested.
- We will coordinate disclosure timing with you before any public announcement.
This policy is also available in machine-readable format at /.well-known/security.txt per RFC 9116.