Intro
Safety and data security is of utmost priority for Deltablot. If you are a security researcher and have discovered a security vulnerability in our code base, we appreciate your help in disclosing it to us in a responsible manner.
Scope
You can report vulnerabilities present in the software for which source code is hosted in these repositories:
- https://github.com/elabftw/elabftw
- https://github.com/elabftw/elabdoc
- https://github.com/elabftw/elabctl
- https://github.com/elabftw/elabimg
- https://github.com/deltablot/malle
For eLabFTW/elabimg: vulnerabilities that cannot be reproduced in the official Docker image deployment are not eligible. For instance, in a setup where Content-Security-Policy header has not been set correctly, or if another webserver software/configuration is being used.
You are not allowed to search for vulnerabilities on any instance of Deltablot products found in the wild nor on the official Demo instance at demo.elabftw.net. It is recommended that you do your research on a local installation.
If you want to perform testing that might break things please contact us to arrange access to a private staging server.
Means of contact
Please contact us to report any security vulnerabilities found through an encrypted Keybase chat: https://keybase.io/nicolascarpi
If you don’t get a response within 24 hours it means something went wrong and you should get in touch with us via other means (email, gitter private chat, twitter), without disclosing the issue in this context.
Policy
If your report is reproducible as an exploit and results in a change to the code base or documentation of a Deltablot product, we will –at your option– publicly acknowledge your responsible disclosure and publish a Security Advisory (attached to a CVE).
After a fix is made, we ask security researchers to wait 30 days after a release before announcing the specific details of a vulnerability, and to provide Deltablot with a link to any such announcements.
Bounty
We believe it is important to reward responsible attitude of security researchers and stimulate research. Depending on the severity of the vulnerability, a reward of up to $500 (minimum $50) can be awarded, at our discretion.