Please contact security@libreswan.org if you suspect you have found a security issue or vulnerability in libreswan. Encrypted email can be received encrypted to the libreswan OpenPGP key.
We strongly encourage you to report potential security vulnerabilities to us before disclosing them in a public forum or in a public security paper or conference. The Libreswan Team typically responds within a few days but usually needs a few weeks to publish a new release with the security fix. The Libreswan Team does not accept any third party clauses before receiving information. A vulnerability reporter cannot mandate a timeline of public disclosure, however The Libreswan Team might accept reasonable requests for short delays.