# Statement regarding GNU Savannah security reports > Source: > Published: 2026-06-20 01:04:41+00:00 # Statement regarding GNU Savannah security reports [Free Software Foundation](https://www.fsf.org/author/fsfweb) [Contributions](https://www.fsf.org/contribs/fsfweb)— Published on Jun 19, 2026 05:12 PM In early May, security researchers from [Hacktron](https://hacktron.ai) reported vulnerabilities affecting [GNU Savannah](https://savannah.gnu.org) and demonstrated an exploit. We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain. Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects. We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users. If you host your own instance of the Savane forge and believe you may be affected, you can contact us for guidance on mitigation steps and patching your systems. We thank Hacktron for informing us about these issues. As we have [previously documented](https://www.fsf.org/bulletin/2025/spring/defending-savannah-from-ddos-attacks), maintaining critical free software infrastructure requires sustained effort, specialized expertise, and long-term resilience. These requirements have increased exponentially in the last few years. Systems like Savannah support essential collaboration across the free software movement, and keeping them reliable and secure depends on the work of dedicated volunteers and staff. If you would like to help us with the increased security challenges we are facing, please consider becoming an [associate member](https://my.fsf.org/join) or [making a donation](https://my.fsf.org/donate). This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.