From 7ff1649d8909917cae590c68def6eecac0442f91 Mon Sep 17 00:00:00 2001 From: Lauri Ojansivu Date: Fri, 14 Nov 2025 07:47:31 +0200 Subject: [PATCH] Updated security.md --- SECURITY.md | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0ad7a0256..5cde5926b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,12 +1,20 @@ -About money, see [CONTRIBUTING.md](CONTRIBUTING.md) -Security is very important to us. If you discover any issue regarding security, please disclose -the information responsibly by sending an email from Protonmail to security@wekan.fi -that is Protomail email address, or by using this PGP key -[security-at-wekan.fi.asc](security-at-wekan.fi.asc) to security@wekan.fi -and not by creating a GitHub issue. We will respond swiftly to fix verifiable security issues. +## Responsible Security Disclosure -We thank you with a place at our hall of fame page, that is at https://wekan.fi/hall-of-fame +- To send email, use [ProtonMail](https://proton.me) email address or use PGP key [security-at-wekan.fi.asc](security-at-wekan.fi.asc) +- Send info about security issue ONLY to security@wekan.fi (that is Protomail email address). NOT TO ANYWHERE ELSE. NO CC, NO BCC. +- Wait for new WeKan release that fixes security issue +- If you approve, we thank you by adding you to Hall of Fame: https://wekan.fi/hall-of-fame/ + +## Bonus Points + +- If you include code for fixing security issue + +## Losing Points + +- If you ask about [bounty](CONTRIBUTING.md). There is no bounty. WeKan is NOT Big Tech. WeKan is FLOSS. +- If you forget to include vulnerability details. +- If you send info about security issue to somewhere else than security@wekan.fi ## How should reports be formatted? @@ -26,7 +34,7 @@ CWSS (optional): %cwss Anyone who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated may be upon their approval -added to the Wekan Hall of Fame. +added to the WeKan Hall of Fame https://wekan.fi/hall-of-fame/ ## Which domains are in scope? @@ -63,11 +71,6 @@ and by by companies that have 30k users. - If you are thinking about TLS MITM, look at https://github.com/caddyserver/caddy/issues/2530 - Let's Encrypt TLS requires publicly accessible webserver, that Let's Encrypt TLS validation servers check. - If firewall limits to only allowed IP addresses, you may need non-Let's Encrypt TLS cert. -- For On Premise: - - https://caddyserver.com/docs/automatic-https#local-https - - https://github.com/wekan/wekan/wiki/Caddy-Webserver-Config - - https://github.com/wekan/wekan/wiki/Azure - - https://github.com/wekan/wekan/wiki/Traefik-and-self-signed-SSL-certs ## XSS @@ -269,9 +272,4 @@ Typical already known or "no impact" bugs such as: - Email spoofing, SPF, DMARC & DKIM. Wekan does not include email server. Wekan is Open Source with MIT license, and free to use also for commercial use. -We welcome all fixes to improve security by email to security@wekan.team - -## Bonus Points - -If your Responsible Security Disclosure includes code for fixing security issue, -you get bonus points, as seen on [Hall of Fame](https://wekan.github.io/hall-of-fame). +We welcome all fixes to improve security by email to security@wekan.fi