Flyspray is proudly sponsored by The Veloz Group
Table of Contents
This document describes how security incidents are handled since Flyspray 0.9.9.
Reporting and handling security problems.
- Write a detailed report to email@example.com and we will contact you privately.
- We take security so damn seriously, that we promise to release an update in no more than 5 business days if the problem reported:
- is remotely exploitable, such as XSS(and friends), remote code execution or SQL Injection.
- it discloses critically sensitive user information (passwords, the contents of other files in the system..).
- All other type of issues considered 'minor' will be fixed in the next patch level release in conjunction with other bugs.
- We will write an FSA (Flyspray Security Announcement) describing the vulnerability briefly after the release of a minor, patch level release. the FSA may contain source code patch against the previous release.
- We will thank you for your report and give proper credits.
Security problems archive
You can read a list of known security problems on Flsypray's Secunia.com page
Things that are NOT security holes in Flyspray
PHP security holes, where the only real solution is to upgrade your PHP version to be protected.
Also, There are a few third party flyspray integrations that we are aware of :
- Mambo/Joomla Flyspray
- A modified version included with EGroupware.
Please do not contact us about vulnerabilities in that products, unless the problem is present in officially supported Flyspray releases available in either the download section or in the active branches of our SVN repository.
We have no control of the code included in that tools.