The GnuPG Project takes the security of software it develops very seriously. In general we prefer a full disclosure approach and all bugs listed in our bug tracker as well as code changes in our software repository are public. Given that GnuPG is an important part of many software distributions and severe bugs in GnuPG would affect their users directly, we co-ordinate with them in private as soon as we learn about a severe vulnerability.

Sometimes we receive pre-notifications of research which may lead to a new kind of vulnerability. In these cases we may work with the researchers in private on a solution and co-ordinate our fix release with them.

For libgcrypt, as its a library, it is intended to be used widely. Thus, users can run the code in any environments as they wish. However, there are hardware which may allow access to fine-grained side channel. Those hardware related threats are out of the scope of libgcrypt threat model. It's up to users not to offer any access to those side channels in such use cases.

If you found a severe security problem and you do not want to publish it, please report it by mail to security at gnupg.org. We prefer reports in plain text format; if needed we can also work with PDF files. For security reasons we won't read any other complex data formats (e.g. docx or odt).

Note that we do not use a team OpenPGP key. Thus please write a non-encrypted message to the security address and ask for the keys of the developers at duty and then encrypt the mail to all of them. A list of our core developers can be found here; they are all active on the gnupg-devel mailing list.