Only the latest release of Crowdroom receives security updates. Older versions are not maintained.
If you find a security vulnerability, do not open a public issue.
Send an email to: crowdroom@jaherhum.dev
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- You will receive a confirmation within 48 hours
- The issue will be investigated and a fix developed
- A new release will be published with the fix
- You will be credited in the changelog (unless you prefer anonymity)
In scope:
- Authentication and authorization issues
- Data exposure or privacy issues
- WebSocket security issues
- API vulnerabilities
Out of scope:
- Denial of service attacks
- Issues in third-party dependencies (report those upstream)
- Social engineering