The Open5GS project takes security vulnerabilities seriously.
If you believe you have discovered a security issue in Open5GS, please report it privately and avoid public disclosure until the issue has been reviewed and addressed.
Please report vulnerabilities privately using GitHub's "Report a vulnerability" button under the Security tab (Security → Advisories → Report a vulnerability). This opens a private advisory visible only to the maintainers.
When reporting a vulnerability, please include:
- Description of the issue
- Affected version(s)
- Steps to reproduce
- Proof of concept, if available
- Potential impact
This policy covers security vulnerabilities in the source code of the open5gs/open5gs repository, including the network function implementations and the bundled WebUI.
The following are generally considered out of scope:
- Vulnerabilities in third-party software or dependencies
- Issues caused by deployment or configuration choices outside Open5GS
- Reports generated only by automated scanners without demonstrated impact
- Theoretical issues without a realistic threat model or attack scenario
Users are encouraged to use the latest stable release of Open5GS.
Security fixes are generally applied to actively maintained versions.
Please allow maintainers reasonable time to investigate and address reported vulnerabilities before public disclosure.
The Open5GS project appreciates responsible and coordinated vulnerability disclosure.