Corner cases which do not lead to some security concerns are not considered as part as our security policy. For example isolated overflows generated by fuzzers and reported by ASAN and not leading to a crash are excluded.

Please include all information needed to reproduce the issue, including a sample file.

Sample files can be joined directly via github (preferred way) or uploaded to the GPAC file drop.

If you require a CVE ID you can request one from MITRE or other CNAs. We do not assign CVE IDs ourselves.

GPAC is under constant development using a continuous integration and deployment process. As a consequence the HEAD of the master branch is always considered as the current version at any point.

Thus only reports that are confirmed reproducible on the current HEAD of the master branch will receive a patch.

If public disclosure seems unreasonable, or if confidential information needs to be shared, you can contact security@gpac.io for private disclosure.

Use security@gpac.io for all other security-related inquiry.