Did you find a security-related issue in one of our products? We'd like to guideline you through the process from the first contact till the public announcement of a security fix.
Thank you for taking time reading the following information carefully. Your contribution is highly welcome!
This security policy is related to i-doit incl. all its sub-projects and public systems.
Please ensure that your findings affect the latest stable release of our software application. If you find any security issues in an older version of our software application please make sure it has not been already fixed in the current version.
i-doit is maintained by the synetics GmbH, located in Düsseldorf/Germany. You can contact us in both English and German.
These are examples for security-related issues:
- Vulnerability in one of our public systems, e.g. our websites
- Vulnerability in one of our software applications, e.g. i-doit
- Disclosure of private information, e.g. user data and secrets
These issues affect the availability, confidentiality and/or integrity of our systems, software applications and the data we must protect.
We encourage you to follow the principles of a responsible disclosure. In short, we kindly ask you to:
- Inform us immediately after you found an issue
- Do not publish your findings without our confirmation
- Give us at least 4 weeks to fix the issue if your findings are confirmed as security-related
- Publish your findings after we publicly announce security fixes
A CVE is very much appreciated.
Contact us directly via e-mail: [email protected]
We highly recommend to sign and encrypt your e-mail with GPG/OpenPGP. Our public key is available on keys.openpgp.org
and can be downloaded from i-doit.cloud/security_key.asc
.