====== Security ====== This document describes how security incidents are handled since Flyspray **0.9.9**. ===== Reporting and handling security problems. ===== * Write a detailed report to [[security@flyspray.org]] and we will contact you privately. * We take security so damn seriously, that we **promise** to release an update in **no more than 5 business days** if the problem reported: - is **remotely** exploitable, such as XSS(and friends), remote code execution or SQL Injection. - it discloses **critically sensitive** user information (passwords, the **contents** of other files in the system..). - All other type of issues considered 'minor' will be fixed in the next patch level release in conjunction with other bugs. * We will write an FSA (Flyspray Security Announcement) describing the vulnerability briefly **after** the release of a minor, patch level release. the FSA may contain source code patch against the previous release. * We will thank you for your report and give proper credits. ===== Flyspray 0.9.9 ===== * 2008-02-24 [[FSA:3 | Cross site scripting (XSS) vulnerabilities]] * 2007-12-14 [[FSA:2 | Cross site scripting (XSS) vulnerabilities]] * 2007-03-16 [[FSA:1 | Admin authentication bypass]] ===== Security problems archive ===== You can read a list of known security problems on [[http://secunia.com/product/5995/?task=advisories|Flsypray's Secunia.com page]] ===== Things that are NOT security holes in Flyspray ===== PHP security holes, where the only real solution is to upgrade your PHP version to be protected. Also, There are a few third party flyspray integrations that we are aware of : * Mambo/Joomla Flyspray * active-factory * A modified version included with EGroupware. Please **do not** contact us about vulnerabilities in that products, **unless** the problem is present in **officially supported** Flyspray releases available in either the download section or in the **active branches** of our SVN repository. We have no control of the code included in that tools.