Security

If you came here looking for end-user support, please send any questions not related to a specific security bug to users@global.libreoffice.org.

The security teams for products associated with the codebase can be contacted at officesecurity@lists.freedesktop.org - this includes representatives of many vendors, and associated projects. This email address is solely for reporting security issues related to the software. If your virus checker is flagging a LibreOffice download as containing a virus, this is almost certainly a false positive. Please check with another anti-virus vendor, and/or file a bug report with them before bothering the security list. Also please consider purchasing a more accurate virus checker.

In your report, please include the following information:

  1. In what version did you identify the specific security problem
  2. If it is platform dependent, which platform are you using
  3. A proof of concept if possible

The list of security advisories is available here.

Please note that bugs which cause the application to crash, but are otherwise un-exploitable are not treated as security vulnerabilities, and finders are encouraged to diagnose and contribute fixes to recent versions of LibreOffice in the normal way.

Incident Response Procedure

  1. You privately share the details of the security vulnerability with our Security Team by emailing officesecurity@lists.freedesktop.org
  2. We acknowledge your submission and verify the vulnerability. Our first answer generally comes under 48 hours.
  3. Our policy is to disclose the vulnerability to the public within 30 days of resolution of the issue
  4. Reports will be credited in security advisories, but reporters may remain anonymous if they wish.