Security
At CrabNebula we take security topics into account when designing a product and during it’s whole lifecycle. We have internal manual and automated security testing in place but, as it is impossible to discover all bugs in a code base, we encourage reporting security relevant bugs in a coordinated way.
Vulnerability Disclosure
Do not report security vulnerabilities through public channels.
Please contact us via email at security@crabnebula.dev. You can encrypt your mail using GnuPG if you want.
See the security.txt at crabnebula.dev:
Include as much of the following information as possible in the security report:
- Type of issue (e.g. code execution, privilege escalation, information leak etc.)
- The location of the affected feature (URL/Code)
- Any special configuration required to reproduce the issue
- The distribution affected or used for reproduction.
- Step-by-step instructions to reproduce the issue, ideally a reproduction repository
- Impact of the issue, including how an attacker might exploit the issue
We prefer to receive reports in English. If necessary, we also understand French and German.
We currently have no paid bug bounty system in place but consider rewards on an individual basis.