How can I report a security vulnerability?
Please send us an email at firstname.lastname@example.org. Do not use Github or any other public channels. We ask that you keep the issue confidential until we have a fix and an announcement ready.
You can encrypt the content of your email using GPG with the following key:
Once the security issue confirmed, our team will take the following actions:
- Try to first reproduce the issue and confirm the vulnerability.
- Acknowledge to the reporter that we’ve received the issue and are working on a fix.
- Get a fix/patch prepared and create associated automated tests.
- Prepare a post describing the vulnerability, and the possible exploits.
- Release new versions of all affected major versions.
- Prominently feature the problem in the release announcement.
- Provide credits in the release announcement to the reporter if they so desire.
Other frequently asked questions in the same category
- How can I report a security vulnerability?
- Is it secure to use passbolt in its current version?
- What data is encrypted in passbolt?
- What kind of encryption does passbolt use?
- Has the code been reviewed?
- How does authentication work in passbolt?
- How can I change my passphrase?
- Is open source software less secure?
- My secret key and passphrase are compromised, what do I do?
- Does passbolt support revocation certificates?
- How are public keys trusted?
- What is the security token?