Thanks to the wide distribution of the Linphone software under its open-source license (GPLv3), numerous security researchers are inspecting its source code and searching for potential vulnerabilities.
Our engineering team is closely listening to and working with these volunteers, who usually contact us through our dedicated email address vulnerabilities@linphone.org to submit their security advisories.
Software fixes are then timely released by our team in the current stable and development branches of Linphone or Linphone-sdk, making our software more robust.
Some months later, the vulnerability is published as CVE report (Common Vulnerabilities and Exposures)[https://cve.mitre.org], following a common practice in software industry.
Note that the actual exploit of a vulnerability highly depends on the configuration the software is being used with.
Typically, a Linphone-based client restricted by configuration to only connect to a single SIP service through TLS has reasonable security enforcements, and as such is less likely to be exposed to vulnerabilities.
Should a critical vulnerability be discovered by external researchers or by ourselves, our potentially impacted customers will be contacted shortly to be advised of a software update.
In all cases, if you feel concerned with a CVE published for linphone or one of its dependencies, feel free to consult us through our support service, so that we can make a realistic evaluation of the security risks.
Every product based on linphone libraries (Linphone-sdk) should stay up to date with our last official release as close as possible, to benefit from the last improvements, bug fixes and security fixes.