Skip to content
This repository has been archived by the owner on Apr 16, 2023. It is now read-only.

Security: jeakfrw/jeak-framework

Security

SECURITY.md

Security Policy

Supported Versions

Use this section to tell people about which versions of your project are currently being supported with security updates.

Version Supported
1.1.X
1.0.X
< 1.0

Reporting a Vulnerability

Collect information

To report a vulnerability, please prepare and collect the following information. We do not expect you to give 100% answers but we depend on contextual information to evaluate your report.

  • Did you track down the cause of the vulnerability? If so, is it caused by a plugin or the framework?
  • What type of vulnerability do you want to report? (You can use the CWE for this, if you know how to use the database.) Here are some examples for you:
    • Exposure of information
    • Manipulation of data
    • Service disruption
    • Remote code execution
    • Griefing/Trolling (causing annoyance to users without actual service disruption)
  • Through which channel can this vulnerability be exploited?
    • [A] Malicious input from TeamSpeak.
    • [B] Malicious input via. HTTP.
    • [C] Installation of a malicious plugin.
    • [D] Malicious configuration.
    • [E] Misconfiguration. (Not to be confused with the above, which would be with intention.)
  • How did you find this vulnerability? (Yes, we want to know the story :) )
  • Have you seen this vulnerability being exploited in the wild?
  • How critical would you rate this vulnerability (and why)?

Can I expect support for the vulnerability found?
It depends.
For example, we provide support for the exploitation channels A, B and E. We will can only provide limited support for C and D for severe risk vulnerabilities.
If you aren't sure, don't hesitate to contact us.

Sending your report

Please do not publicly disclose vulnerabilities! This will unnecessarily put users at risk.

The best channel for vulnerability reports would be mailing us at technik@fearnixx.de (we speak English and German).
If you don't hear from us in a few days, please reach out to our head developer on Twitter:

Justification of response times

We want to you to know that our response times are usually fast (a few hours) but may also include a few days of waiting. We're a group of voluntary tech enthusiasts and at times we may not have the capacity to deal with message requests on short notice.

Learn more about advisories related to jeakfrw/jeak-framework in the GitHub Advisory Database