Vulnerability Disclosure Policy

This policy provides security researchers with clear guidelines for responsibly conducting vulnerability discovery and describes how to report potential issues in our project. We encourage you to contact us whenever you identify a possible vulnerability.

Guidelines

Please adhere to the following principles:

  • Notify us as soon as possible after discovering a real or potential security issue.

  • Make every effort to avoid privacy violations, degradation of user experience, disruption of production systems, and destruction or manipulation of data.

  • Use exploits only to the extent necessary to confirm a vulnerability’s existence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or pivot to other systems.

  • Allow us a reasonable amount of time to resolve the issue before publicly disclosing it.

  • If you encounter any sensitive data during your testing, you must immediately stop testing and refrain from sharing this data with anyone.

Reporting a Vulnerability

If you find a security vulnerability, we strongly encourage you to report it as soon as possible. Please follow the steps below:

  1. Do not publicly disclose the vulnerability until we have had an opportunity to address it.

  2. Send an email to clemens-alexander.brust@dlr.de (PGP Key) or bernd.gruner@dlr.de (PGP Key) in English or German including:

    • A description of the discovered vulnerability and its location in the project.

    • A detailed explanation of the steps required to reproduce the issue (proof-of-concept scripts or screenshots are helpful).

    • The potential impact of exploitation.

We aim to respond within 3 working days and provide an estimated timeline for resolution. We will confirm the vulnerability to the best of our ability and remain as transparent as possible about our remediation process, including any challenges that may delay resolution. This project follows a 90-day disclosure timeline.

Coordinated Disclosure

We follow a coordinated disclosure process. If the reported issue is confirmed as a vulnerability and fixed, we will:

  1. Acknowledge the reporter’s contribution (if they agree).

  2. Publish a public Security Advisory containing all relevant details.

  3. Assign a CVE, if applicable.

  4. Notify affected users, if applicable.

Thank you for helping us keep this project secure.