Being a network client which interacts with untrusted users and servers, managing vulnerabilities and security response is important to the Pidgin project and to our users. We have established procedures for collecting security-related information, and for disclosing this information to the public.
Please see our comprehensive list of known and reported security advisories for information on past vulnerabilities.
If you believe you have discovered a security problem or vulnerability in Pidgin, libpurple, Finch, or one of our related projects, please let us know by using one of the following methods:
Pidgin Developersteam. The visibility selection we are referring to can be verified by looking for it right above the Create button. Setting a limited visibility is of utmost importance as otherwise we’d need to consider the vulnerability to have been made public since everyone could read it from our issue tracker.
In order to help us fix the problem as quickly as possible and with as little exposure to malicious intent to our users as can be managed, we ask that you give us a chance to fix the problem before you publish its existence or details in a public forum, and that you provide us with as much information as you can. In return, we will endeavor to respond to your concerns in a timely fashion. When reporting a security-related bug or a vulnerability, please provide us with as much of the information in the following list as possible. If you don’t know what something is or how to provide it, that’s OK, leave it out and tell us what you do know.
<foo>; causes Pidgin to write data to an invalid memory location.”
pidgin --debug), etc.
We maintain a list of packagers and maintainers of Pidgin and related software which we notify of security vulnerabilities and their fixes prior to disclosure to the public. This allows packagers and distributors of our software to release patched or updated versions simultaneously with the public disclosure of known issues. We attempt to provide sufficient advance warning to this list that packages may be properly prepared before disclosure.
If you believe you should be on this list, please contact firstname.lastname@example.org and let us know why.