Skip to article frontmatterSkip to article content
About the project

Security

The S in IoT stands for security.

So, you have found a security vulnerability in Spook? Please, be sure to responsibly disclose it to us by reporting a vulnerability using GitHub’s Security Advisory.

DO NOT MAKE A PUBLIC ISSUES FOR SECURITY VULNERABILITIES!

For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that Spook, like many Open Source projects, is primarily a volunteer project with no full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.

If you are going to write about Spook’s security, please get in touch, so we can ensure that all claims are correct.

Supported versions

We only accept reports against the latest stable & official version of Spook or any versions beyond that currently in development. The latest version can be found here.

We do not accept reports against forks of Spook.

Non-qualifying vulnerabilities

We will not accept reports of vulnerabilities of the following types:

Severity scoring

If you are familiar with CVSS3.1, please provide the vulnerability score in your report in the shape of a vector string. There’s a calculator here. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.

If you intend to provide a score, please familiarize yourself with CVSS first (we strongly recommend reading Specification and Scoring Guide), as we will not accept reports that use it incorrectly.

Public disclosure & CVE assignment

We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:

Bounties

As a crowd-funded community project, Spook cannot offer bounties for security vulnerabilities. However, if so desired, we will credit the discoverer of a vulnerability in our release notes.


This security page is heavily inspired by the one from OctoPrint. ❤️ If you are into 3D printing, check them out!