When we discover a security vulnerability in NTP we follow our Phased Vulnerability Process which includes first notifying Institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally make a public announcement.
Security Patch Policy
When security patches are ready, they are first given to Premier and Partner Institutional members of the NTP Consortium at Network Time Foundation, then access instructions are provided to CERT, and finally the public release is made on the embargo date.
For more information about our NTP Consortium and how to become a member, see (http://www.nwtime.org/membership/benefits/)
Reporting Security Issues
Security related bugs, confirmed or suspected, are to be reported by e-mail to email@example.com.
Do not disclose details with unencrypted email-we will exchange PGP keys for further discussion.
You can also use our NTP Security Officer Key, for reporting issues you have verified are security related.
Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, firstname.lastname@example.org, or any other mailing-list.
Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), replacing Autokey, and will soon be announcing the first production release of the NTP “leaf node” client from the Ntimed Project.
For years NTF’s NTP Project has routinely submitted the NTP code base through Coverity’s security analysis scans and in 2015 we went from several hundred issues found — down to nine. That gives us a “defect density” rating of 0.05, or 1 defect detected for every 20,000 lines of code scanned. For comparison, the average defect density of other open source projects of our size category is 0.5, or one defect for every 2,000 lines of code.
NTF’s NTP Project code base has also been run through Veracode and HP’s Fortify on Demand (FoD).
We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so. You can learn about them from our bug database and ChangeLog file.
|Latest Resolved Issues
August 2018 ntp-4.2.8p12 NTP Release and Security Vulnerability Announcement
The NTP Project at Network Time Foundation publicly released ntp-4.2.8p12 on Tuesday, 14 August 2018. This release improves on one security issue in
And one security issue in
This release also provides 27 minor bug and documentation fixes and 4 other improvements.
E-Notification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.