Security

At CrabNebula we take security topics into account when designing a product and during it’s whole lifecycle. We have internal manual and automated security testing in place but, as it is impossible to discover all bugs in a code base, we encourage reporting security relevant bugs in a coordinated way.

Tip

If you’re reporting vulnerabilities related to code in a GitHub repo then please use the respective disclosure in that repo. Learn more about GitHub Coordinated Disclosures.

Vulnerability Disclosure

Do not report security vulnerabilities through public channels.

Please contact us via email at security@crabnebula.dev. You can encrypt your mail using GnuPG if you want.

See the security.txt at crabnebula.dev:

Contact: mailto:security@crabnebula.dev
Expires: 2025-01-30T06:30:00.000Z
Encryption: https://crabnebula.dev/.well-known/pgp.txt
Preferred-Languages: en,de,fr
Canonical: https://crabnebula.dev/.well-known/security.txt

Include as much of the following information as possible in the security report:

• Type of issue (e.g. code execution, privilege escalation, information leak etc.)
• The location of the affected feature (URL/Code)
• Any special configuration required to reproduce the issue
• The distribution affected or used for reproduction.
• Step-by-step instructions to reproduce the issue, ideally a reproduction repository
• Impact of the issue, including how an attacker might exploit the issue

We prefer to receive reports in English. If necessary, we also understand French and German.

We currently have no paid bug bounty system in place but consider rewards on an individual basis.