= Reporting security vulnerabilities = If you discover a security vulnerability in OpenVPN's [https://github.com/OpenVPN open source projects], please send email to security@openvpn.net. = How we handle security issues = The basic goals were defined in the IRC meeting on [http://thread.gmane.org/gmane.network.openvpn.devel/3841 15th July 2010]. We attempt to disclose security issues in 3 weeks - or less, if a fix is ready. If a fix is not ready in 3 weeks the issue we should disclosed it nevertheless and provide workarounds (if any) to users and then fix the issue a.s.a.p. Also, ''all'' security issues - whether they're theoretical or being exploited - should be fixed. All our users should also be informed about vulnerabilities in external software OpenVPN depends on (e.g. OpenSSL). This will be done after developers of the external software have already disclosed the vulnerability.