Reporting security vulnerabilities
If you discover a security vulnerability in OpenVPN's open source projects, please send email to security@….
How we handle security issues
The basic goals were defined in the IRC meeting on 15th July 2010. We attempt to disclose security issues in 3 weeks - or less, if a fix is ready. If a fix is not ready in 3 weeks the issue we should disclosed it nevertheless and provide workarounds (if any) to users and then fix the issue a.s.a.p. Also, all security issues - whether they're theoretical or being exploited - should be fixed. All our users should also be informed about vulnerabilities in external software OpenVPN depends on (e.g. OpenSSL). This will be done after developers of the external software have already disclosed the vulnerability.