2022-09-02 11:29:38 +00:00
Chatwoot is looking forward to working with security researchers worldwide to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us.
2021-04-20 07:56:35 +00:00
## Reporting a Vulnerability
2022-09-02 11:29:38 +00:00
We use [huntr.dev ](https://huntr.dev/ ) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form ](https://huntr.dev/bounties/disclose ). This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts.
2021-08-03 10:43:44 +00:00
2022-09-02 11:29:38 +00:00
If you have any questions about the process, contact security@chatwoot.com.
2021-04-20 07:56:35 +00:00
2022-09-02 11:29:38 +00:00
Please try your best to describe a clear and realistic impact for your report, and please don't open any public issues on GitHub or social media; we're doing our best to respond through Huntr as quickly as possible.
2021-08-03 10:43:44 +00:00
2022-09-02 11:29:38 +00:00
> Note: Please use the email for questions related to the process. Disclosures should be done via [huntr.dev](https://huntr.dev/)
## Supported versions
2021-08-03 10:43:44 +00:00
2022-09-02 11:29:38 +00:00
| Version | Supported |
| ------- | -------------- |
| latest | ️✅ |
| < latest | ❌ |
2021-08-03 10:43:44 +00:00
2022-09-02 11:29:38 +00:00
## Vulnerabilities we care about 🫣
> Note: Please do not perform testing against Chatwoot production services. Use a `self-hosted instance` to perform tests.
- Remote command execution
- SQL Injection
- Authentication bypass
- Privilege Escalation
- Cross-site scripting (XSS)
- Performing limited admin actions without authorization
- CSRF
You can learn more about our triaging process [here ](https://www.chatwoot.com/docs/contributing-guide/security-reports ).
## Non-Qualifying Vulnerabilities
We consider the following out of scope, though there may be exceptions.
2021-08-03 10:43:44 +00:00
- Missing HTTP security headers
2022-09-02 11:29:38 +00:00
- Incomplete/Missing SPF/DKIM
- Reports from automated tools or scanners
- Theoretical attacks without proof of exploitability
- Social engineering
- Reflected file download
- Physical attacks
- Weak SSL/TLS/SSH algorithms or protocols
- Attacks involving physical access to a user's device or a device or network that's already seriously compromised (e.g., man-in-the-middle).
- The user attacks themselves
2021-08-03 10:43:44 +00:00
- Incomplete/Missing SPF/DKIM
- Denial of Service attacks
2022-09-02 11:29:38 +00:00
- Brute force attacks
2021-08-03 10:43:44 +00:00
- DNSSEC
2022-09-02 11:29:38 +00:00
If you are unsure about the scope, please create a [report ](https://huntr.dev/repos/chatwoot/chatwoot/ ).
2021-08-03 10:43:44 +00:00
## Thanks
Thank you for keeping Chatwoot and our users safe. 🙇
