We release patches for security vulnerabilities. Which versions are eligible to receive such patches depend on the CVSS v3.0 Rating:
| CVSS v3.0 | Supported Versions |
|---|---|
| 4.0-10.0 | Most recent release |
Please report (suspected) security vulnerabilities to our bug bounty program. You will receive a response from us within 2 working days. If the issue is confirmed, we will release a patch as soon as possible depending on impact and complexity.
Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program.
We generally aren't interested in the following issues:
- Social engineering (e.g. phishing, vishing, smishing) attacks
- Brute force, DoS, text injection
- Missing best practices such as HTTP security headers (CSP, X-XSS, etc.), email (SPF/DKIM/DMARC records), SSL/TLS configuration.
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Clickjacking on pages with no sensitive actions
- Theoretical vulnerabilities where you can't demonstrate a significant security impact with a proof of concept.