So, you have found a security vulnerability in Spook? Please, be sure to responsibly disclose it to us by reporting a vulnerability using GitHub’s Security Advisory.
DO NOT MAKE A PUBLIC ISSUES FOR SECURITY VULNERABILITIES!
For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that Spook, like many Open Source projects, is primarily a volunteer project with no full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.
If you are going to write about Spook’s security, please get in touch, so we can ensure that all claims are correct.
We only accept reports against the latest stable & official version of Spook or any versions beyond that currently in development. The latest version can be found here.
We do not accept reports against forks of Spook.
We will not accept reports of vulnerabilities of the following types:
- Reports from automated tools or scanners.
- Theoretical attacks without proof of exploitability.
- Attacks that are the result of a third-party application or library (these should instead be reported to the library maintainers).
- Social engineering.
- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (like, man-in-the-middle).
- Attacks that require the user to install a malicious other integration or add-on.
- Attacks that the user can only perform on themselves.
If you are familiar with CVSS3.1, please provide the vulnerability score in your report in the shape of a vector string. There’s a calculator here. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.
Public disclosure & CVE assignment¶
We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:
- The vulnerability is in Spook itself, not a third-party library
- The vulnerability is not already known to us
- The vulnerability is not already known to the public
- CVEs will only be requested for vulnerabilities with a severity of Medium or higher.
As a crowd-funded community project, Spook cannot offer bounties for security vulnerabilities. However, if so desired, we will credit the discoverer of a vulnerability in our release notes.
This security page is heavily inspired by the one from OctoPrint. ❤️ If you are into 3D printing, check them out!