Blender Vulnerability Reporting Policy

General Process

Security issues should be reported to {security[at]blender.org}. The security team will typically get back to vulnerability reporters within several days.

Timelines

Since addressing most vulnerabilities in Blender requires coordination between developers the time between initial report of a vulnerability and its public disclosure will vary.

Expectations for handling vulnerabilities:

• All reports responded within 14 days.
• All medium or high severity vulnerabilities patched within 60 days of having been publicly known.
• All critical vulnerabilities fixed shortly after they are reported.
• Updates to official Blender releases available for current and long term support (LTS) releases.

Vulnerability vs Regular Bug

It is not possible to provide guidance on what constitutes a security vulnerability and what is just an ordinary software bug. When in doubt, please contact the Blender security team.

Public Disclosure

Security related issues are to be disclosed by Blender's security team via blender's issue tracking system [tagged with Meta: Security]. Disclosure may be postponed until a fix is available.

3rd Party Libraries

The security team actively tracks CVEs for Blender and 3rd party libraries. When such a vulnerability is determined to impact Blender releases, updates and public disclosure are handled the same as other security issues.