Security is very important to us. If you discover any issue regarding security, please disclose the information responsibly by sending an email to support (at) wekan.team using this PGP public key and not by creating a GitHub issue. We will respond swiftly to fix verifiable security issues.
We thank you with a place at our hall of fame page, that is at https://wekan.github.io/hall-of-fame
Name: %name
Twitter: %twitter
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc
CVSS (optional): %cvss
CWSS (optional): %cwss
Anyone who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated may be upon their approval added to the Wekan Hall of Fame.
No public domains, because all those are donated to Wekan Open Source project, and we don't have any permissions to do security scans on those donated servers
Please don't perform research that could impact other users. Secondly, please keep the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.
You can Install Wekan.hx to your own computer and scan it's vulnerabilities there.
There is only one prototype of Wekan.hx, that does not even work yet.
Any typical web security bugs. If any of the previously mentioned is somehow problematic and a security issue, we'd like to know about it, and also how to fix it:
- Cross-site Scripting
- Open redirect
- Cross-site request forgery
- File inclusion
- Authentication bypass
- Server-side code execution
Typical already known or "no impact" bugs such as:
- Well, nothing yet, because Wekan.hx does not work at all yet.
Wekan is Open Source with MIT license, and free to use also for commercial use. We welcome all fixes to improve security by email to security (at) wekan.team .
If your Responsible Security Disclosure includes code for fixing security issue, you get bonus points, as seen on Hall of Fame.