bayrepo
/
hestiacp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'devel'
${ noResults }
hestiacp/SECURITY.md

52 lines
2.0 KiB
Raw Permalink Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# Hestia CP Security policy
Welcome and thanks for taking interest in Hestia CP!
We are mostly interested in reports by actual Hestia CP users but all high quality contributions are welcome.
If you believe that you have have discovered a vulnerability in Hestia Control Panel,
please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform.
If you are unable to use [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to <info@hestiacp.com>
We ask you to include a detailed description of the vulnerability, a list of services involved (e.g. exim, dovecot) and the versions which you've tested, full steps to reproduce the vulnerability, and include your findings and expected results.
Please do not open any public issue on Github or any other social media before the report has been published and a fix has been released.
With that, good luck hacking us ;)
## Supported versions
| Version | Supported |
| ------- | ------------------ |
| Latest | :white_check_mark: |
## Qualifying Vulnerabilities
### Vulnerabilities we really care about
- Remote command execution
- Code/SQL Injection
- Authentication bypass
- Privilege Escalation
- Cross-site scripting (XSS)
- Performing limited admin actions without authorization
- CSRF
### Vulnerabilities we accept
- Open redirects
- Password brute-forcing that circumvents rate limiting
## Non-Qualifying Vulnerabilities
- Theoretical attacks without proof of exploitability
- Attacks that are the result of a third party library should be reported to the library maintainers
- Social engineering
- Reflected file download
- Physical attacks
- Weak SSL/TLS/SSH algorithms or protocols
- Attacks involving physical access to a users device, or involving a device or network thats already seriously compromised (eg man-in-the-middle).
- The user attacks themselves
- anything in `/test/` folder
Reference in new issue View Git Blame Copy Permalink