Subversion Security

If you discover a security vulnerability in Subversion, please email this address (which is not hosted at tigris.org due to the need for complete privacy):

svnsecurity {@} red-bean.com

(Take off the spaces and curly braces, of course.)

It is safe to send sensitive reports to this address: list membership is controlled, and the archives are not publicly accessible. We will analyze your report and take appropriate action. Our usual procedure is to

  1. Make a fix for the vulnerability.
  2. Discreetly distribute the fix to a few large sites that run Subversion servers and are trusted to be discreet themselves.
  3. Release a new version of Subversion (containing just that fix) and publicly announce the vulnerability on the same day.

This procedure may vary depending on the nature of the vulnerability and the degree of pre-existing public awareness, of course.

Please do not reproduce the above email address on other web pages or in public postings. Due to the need for responsiveness, the security list is unmoderated, which makes it particularly vulnerable to spammers. We want to avoid changing the list address, because it's good to have a consistent, dependable place to report security holes.

On this page, the address has been encoded in various ways to reduce the likelihood of a spam harvester noticing it. But if the address starts appearing in other places on the Internet, then the harvesters will inevitably pick it up, and we'll be stuck wading through ever-increasing amounts of spam, trying not to lose important vulnerability reports in the noise.