Skip to content

Security: wekan/hx

Security

SECURITY.md

Security is very important to us. If you discover any issue regarding security, please disclose the information responsibly by sending an email to support (at) wekan.team using this PGP public key and not by creating a GitHub issue. We will respond swiftly to fix verifiable security issues.

We thank you with a place at our hall of fame page, that is at https://wekan.github.io/hall-of-fame

How should reports be formatted?

Name: %name
Twitter: %twitter
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc
CVSS (optional): %cvss
CWSS (optional): %cwss

Who can participate in the program

Anyone who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated may be upon their approval added to the Wekan Hall of Fame.

Which domains are in scope?

No public domains, because all those are donated to Wekan Open Source project, and we don't have any permissions to do security scans on those donated servers

Please don't perform research that could impact other users. Secondly, please keep the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.

You can Install Wekan.hx to your own computer and scan it's vulnerabilities there.

About Wekan.hx versions

There is only one prototype of Wekan.hx, that does not even work yet.

What Wekan.hx bugs are eligible?

Any typical web security bugs. If any of the previously mentioned is somehow problematic and a security issue, we'd like to know about it, and also how to fix it:

  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • File inclusion
  • Authentication bypass
  • Server-side code execution

What Wekan.hx bugs are NOT eligible?

Typical already known or "no impact" bugs such as:

  • Well, nothing yet, because Wekan.hx does not work at all yet.

Wekan is Open Source with MIT license, and free to use also for commercial use. We welcome all fixes to improve security by email to security (at) wekan.team .

Bonus Points

If your Responsible Security Disclosure includes code for fixing security issue, you get bonus points, as seen on Hall of Fame.

There aren’t any published security advisories