Weblate/weblate
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/WeblateOrg/weblate.git synced 2026-04-29 18:29:13 +08:00
Code Issues Projects Releases Packages Activity Actions 4
weblate/docs/security/issues.rst
Michal Čihař fe697453af docs: use security@weblate.org PGP key for security reports 
The address was already used, but historically my PGP key was used for
security reports. This does not scale, so use shared key for this.
2025-09-08 11:03:12 +02:00

72 lines
2.7 KiB
ReStructuredText
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Vulnerability and incident handling
===================================
.. _security:
Reporting security issues
-------------------------
.. seealso::
Please read :ref:`ai-issues` in case you have used AI to discover a security issue in Weblate.
Weblates development team is strongly committed to responsible reporting and
disclosure of security-related issues. We have adopted and follow policies that
are geared toward delivering timely security updates to Weblate.
Most normal bugs in Weblate are reported to our public `GitHub issues tracker
<https://github.com/WeblateOrg/weblate/issues>`_, but due to the sensitive
nature of security issues, we ask them not to be publicly reported in this
fashion.
Instead, if you believe youve found something in Weblate that has security
implications, please submit a description of the issue to security@weblate.org,
`GitHub <https://github.com/WeblateOrg/weblate/security/advisories/new>`_,
or using `HackerOne <https://hackerone.com/weblate>`_.
A member of the security team will respond to you within 48 hours, and
depending on what action is taken, you may get more follow-up emails.
.. note::
**Sending encrypted reports**
If you want to send an encrypted email (*optional*), please use the public
key for security@weblate.org with ID ``8EA7 6E43 0976 3323 C2E3 D5A0 C472 9F23 8A80 EA93``.
This public key is available on the most commonly used key servers, using
WKD or `directly from weblate.org
<https://weblate.org/.well-known/openpgpkey/hu/t5s8ztdbon8yzntexy6oz5y48etqsnbb?l=security>`_.
.. hint::
Weblate depends on third-party components for many things. In case
you find a vulnerability affecting one of those components in general,
please report it directly to the respective project.
Some of these are:
* :doc:`Django <django:internals/security>`
* `Django REST framework <https://www.django-rest-framework.org/#security>`_
* `Python Social Auth <https://github.com/python-social-auth>`_
.. seealso::
* :doc:`/contributing/issues`
.. _vulnerability-disclosure-policy:
Vulnerability disclosure policy
-------------------------------
Within 30 days following a release containing a vulnerability fix, a security
advisory is published at
https://github.com/WeblateOrg/weblate/security/advisories. The advisory is
available immediately with a release when possible.
Any actively exploited vulnerability or severe incidents are notified to CSIRT
within 24 hours, general info is provided to CSIRT within 72 hours, and a full
report is provided within 14 days.
All users of Hosted or Dedicated Weblate impacted by a severe incident
or an actively exploited vulnerability are notified within 7 days.
Reference in a new issue View git blame Copy permalink