From 98f7403f6f5bd12833ecc3cb17fa5ffe741858a5 Mon Sep 17 00:00:00 2001 From: Lauri Ojansivu Date: Thu, 12 Mar 2026 00:34:36 +0200 Subject: [PATCH] Updates --- SECURITY.md | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5c232b4e8..346d7c1b0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,13 +1,23 @@ ## Responsible Security Disclosure -- To send email, is possible, use PGP key [security-at-wekan.fi.asc](security-at-wekan.fi.asc) -- Send info about security issue ONLY to security@wekan.fi . NOT TO ANYWHERE ELSE. NO CC, NO BCC. - You have no permission to share details with anyone else. - You have no permission to request any new GHSA or CVE ID or write technical posts or talks about vulnerabilities. - All vulnerability details are private to security@wekan.fi only. -- Wait for new WeKan release that fixes security issue -- If you approve, we thank you by adding you to Hall of Fame: https://wekan.fi/hall-of-fame/ +1. To send email, if possible, use PGP key [security-at-wekan.fi.asc](security-at-wekan.fi.asc) +2. Send info about security issue ONLY to security@wekan.fi . NOT TO ANYWHERE ELSE. NO CC, NO BCC. +3. Wait for new WeKan release that fixes security issue to appear to top of + https://github.com/wekan/wekan/blob/main/CHANGELOG.md +4. We will thank you by adding you to Hall of Fame: https://wekan.fi/hall-of-fame/ +5. All vulnerability details will be private to security@wekan.fi , + unless you help all WeKan platforms to have a way to upgrade, like sending + database migrations code to security@wekan.fi or PRs to https://github.com/wekan/wekan/pulls . + There is no benefit to Wordwide Security Community to have more details about vulnerabilities, + if Worldwide Security Community does not help to make upgrades possible. +6. If there some day becomes available a way to upgrade all WeKan platforms, + this page will be updated to add permission for security researchers + to request new GHSA or CVE ID and publish your vulnerability details at your blog, talks, etc, + and send that info also to security@wekan.fi to be added to + Hall of Fame: https://wekan.fi/hall-of-fame/ to get Upgrade Bonus Point Stars. + In that case, it will become possible for security@wekan.fi to publish all + remaining private security details, and publicly thank Worldwide Security Community. ## Bonus Points