Responsible Disclosure Policy

Intro

Safety and data security is our top priority at Deltablot. If you are a security researcher and have discovered a security vulnerability in our code base, we would appreciate your help in disclosing it to us in a responsible manner.

Scope

You can report vulnerabilities present in the software. The source code is hosted in these repositories:

• https://github.com/elabftw/elabftw
• https://github.com/elabftw/elabdoc
• https://github.com/elabftw/elabctl
• https://github.com/elabftw/elabimg
• https://github.com/deltablot/malle

For eLabFTW/elabimg: vulnerabilities that cannot be reproduced in the official Docker image deployment are not eligible. This includes instances where the Content-Security-Policy header has not been set correctly, or where another webserver software/configuration is being used.

You are not allowed to search for vulnerabilities on any instance of Deltablot products found in the wild, nor on the official Demo instance of eLabFTW located at demo.elabftw.net. It is recommended that you do your research on a local installation.

If you want to perform testing that might break things, please contact us to arrange access to a private staging server.

Means of contact

Please contact us to report any security vulnerabilities that you find using an encrypted Keybase chat: https://keybase.io/nicolascarpi

If you don’t receive a response within 24 hours, it means something went wrong with the chat. In this case, please get in touch with us via other means (email, gitter private chat, X.com), without disclosing the security issue in this context.

Policy

If your report is reproducible as an exploit and results in a change to the code base or documentation of a Deltablot product, we will (at your discretion) publicly acknowledge your responsible disclosure and publish a Security Advisory (attached to a CVE).

After a fix is made, we ask security researchers to wait 30 days after a release before announcing the specific details of a vulnerability, and to provide Deltablot with a link to any such announcements.

Bounty

We believe that it is important to reward responsible security researchers and to stimulate security research. Depending on the severity of the vulnerability, a reward of up to $500 (minimum $50) may be awarded, at our discretion.