|
1 | | -# Security Policy |
| 1 | +# Hestia CP Security policy |
2 | 2 |
|
3 | | -## Supported Versions |
| 3 | +Welcome and thanks for taking interest in Hestia CP! |
| 4 | + |
| 5 | +We are mostly interested in reports by actual Hestia CP users but all high quality contributions are welcome. |
| 6 | + |
| 7 | +If you believe that you have have discovered a vulnerability in Hestia Control Panel, |
| 8 | +please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform. |
| 9 | + |
| 10 | +If you are unable to use [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to support@hestiacp.com |
| 11 | + |
| 12 | +We ask you to include a detailed description of the vulnerability, a list of services involved (e.g. exim, dovecot) and the versions which you've tested, full steps to reproduce the vulnerability, and include your findings and expected results. |
| 13 | + |
| 14 | +Please do not open any public issue on Github or any other social media before the report has been published and a fix has been released. |
| 15 | + |
| 16 | +With that, good luck hacking us ;) |
| 17 | + |
| 18 | +## Supported versions |
4 | 19 |
|
5 | 20 | | Version | Supported | |
6 | 21 | | ------- | ------------------ | |
7 | 22 | | Latest | :white_check_mark: | |
8 | 23 |
|
| 24 | +## Qualifying Vulnerabilities |
9 | 25 |
|
10 | | -## Reporting a Vulnerability |
| 26 | +### Vulnerabilities we really care about! |
| 27 | +- Remote command execution |
| 28 | +- Code/SQL Injection |
| 29 | +- Authentication bypass |
| 30 | +- Privilege Escalation |
| 31 | +- Cross-site scripting (XSS) |
| 32 | +- Performing limited admin actions without authorization |
| 33 | +- CSRF |
11 | 34 |
|
12 | | -If you believe that you have have discovered a vulnerability in Hestia Control Panel, |
13 | | -please let our development team know by submitting a report [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) Bounties and CVEs are automatically managed and allocated via the platform. |
| 35 | +### Vulnerabilities we accept |
| 36 | + |
| 37 | +- Open redirects |
| 38 | +- Password brute-forcing that circumvents rate limiting |
| 39 | + |
| 40 | +## Non-Qualifying Vulnerabilities |
| 41 | + |
| 42 | +- Theoretical attacks without proof of exploitability |
| 43 | +- Attacks that are the result of a third party library should be reported to the library maintainers |
| 44 | +- Social engineering |
| 45 | +- Reflected file download |
| 46 | +- Physical attacks |
| 47 | +- Weak SSL/TLS/SSH algorithms or protocols |
| 48 | +- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle). |
| 49 | +- The user attacks themselves |
| 50 | +- anything in `/test/` folder |
14 | 51 |
|
15 | | -If you are unable to [Huntr.dev](https://huntr.dev/bounties/disclose/?target=https://github.com/hestiacp/hestiacp) please send an email to support@hestiacp.com |
16 | | -We ask that you please include a detailed description of the vulnerability, |
17 | | -a list of services involved (e.g. exim, dovecot) and the versions which you've tested, |
18 | | -full steps to reproduce the vulnerability, and include your findings and expected results. |
|
0 commit comments