adalal/solidtime
1
0
Fork 0
mirror of https://github.com/solidtime-io/solidtime.git synced 2026-06-13 12:52:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
solidtime/SECURITY.md
Gregor Vostrak f7663b1c8b Clarify out of scope items for vulnerability reports 
Added out of scope section for vulnerability reporting.
2026-05-18 19:21:32 +02:00

1000 B
Raw Permalink Blame History

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability regarding this project, please e-mail me to security@solidtime.io!

Out of scope

Reports we typically won't issue an advisory for:

  • Theoretical findings without a working PoC
  • Raw scanner output without manual validation
  • Missing/weak security headers in isolation (CSP, X-Frame-Options, HSTS, etc.)
  • SPF/DKIM/DMARC on non-mail-sending domains; missing DNSSEC/CAA; TLS cipher preferences
  • Self-XSS; CSRF on non-state-changing endpoints (logout, theme)
  • CSV / spreadsheet formula injection in exports — treated as a spreadsheet-application issue
  • Org owners or admins acting destructively within their own organization
  • Anything requiring direct DB, shell, or filesystem access on a self-hosted instance
  • Missing OAuth Scope enforcement (this is not implemented yet, but AI scanners flag it which is why it is included in this list until we actually support it)
Reference in New Issue View Git Blame Copy Permalink