Security

Reporting guidelines

Suspected or confirmed security vulnerabilities in TaskCollect should be reported to taskcollect-discuss. Please prefix the subject line of your email with "[SECURITY]" so that we can easily distinguish between queries and security incidents. If the vulnerability has an associated CVE ID, please include it in the subject line as well.

As with all other emails sent to taskcollect-discuss, security-related emails are only visible to the TaskCollect development team and not to members of the wider public. We aim to respond to security reports as quickly as possible, but given our limited time and availability, we cannot make any guarantees as to when we will provide a response. Please be patient.

Vulnerability disclosure and announcements

Given the sensitive nature of security vulnerabilities, we do not immediately disclose the existence of existing vulnerabilities. These are the steps we will take to address security vulnerabilities:

  1. The security report is examined and confirmed.
  2. A team member is allocated to fixing the underlying issue and given a timeline for its resolution.
  3. The fix is reviewed and applied to our public source repository.
  4. The codebase is audited for similar and/or related issues.
  5. A new public release is made and announced, mentioning some details about the vulnerability and how it was fixed.
  6. If the vulnerability was significant, an announcement is made on taskcollect-announce with a technical analysis of the issue, its consequences, and the steps taken to fix it.

This may take some time. Please be mindful of this.