How to report a vulnerability
If you've found a security-related issue with Passbolt, please email [email protected]. Do not submit the vulnerability to GitHub as this would make it public and potentially exploitable. We'll do a public disclosure of the security issue once it's been fixed.
What happens after you report
After receiving a report, Passbolt will take the following steps:
- Try first to reproduce the issue and confirm the vulnerability
- Acknowledge to the reporter that we have received the issue and are working on a fix
- Get a fix/patch prepared and create associated automated tests
- Prepare a post describing the vulnerability and the possible exploits
- Release new versions of all affected major versions
- Prominently feature the problem in the release announcement
- Give credit in the release announcement to the reporter if they so desire
What to include in your report
When reporting a vulnerability, please include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (if available)
- Your contact information
- The version of Passbolt you tested on
- Any relevant configuration details
Responsible disclosure
We appreciate your help in keeping Passbolt secure. By following responsible disclosure practices, you help us protect our users while we work on a fix. We commit to:
- Acknowledging receipt of your report within 48 hours
- Keeping you informed of our progress
- Giving you credit for your findings (if desired)
- Not taking legal action against you for your research
Bug Bounty Program
Passbolt SA bug bounty program outlines the scope for security researchers and bug bounty hunters working on the Passbolt product. This program is designed to encourage responsible disclosure of security vulnerabilities and improve the overall security of Passbolt.
Rewards
There is currently no financial reward for identified vulnerabilities. However, we highly value your contributions to our platform's security. In recognition of your efforts, we will provide credits acknowledging your discoveries both within our vulnerability reports and across our social media channels.
Bug Eligibility
Any submitted report must involve a bug that is exploitable in the latest version of Passbolt at the time of submission for both the server application and the clients.
You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded).
Scope
In Scope
| Repository | Type | Security Requirement |
|---|---|---|
| passbolt_browser_extension | web-application | default |
| passbolt_styleguide | web-application | default |
| passbolt-windows | desktop | default |
| passbolt_pro_api | web-application | default |
| passbolt_api | web-application | default |
| mobile-passbolt-ios | Mobile | default |
| mobile-passbolt-android | Mobile | default |
Out of Scope
- Passbolt network, online services, websites, and related 3rd party services/providers
- Vulnerabilities in third-party dependencies
- Vulnerabilities in development environments
- Vulnerabilities that require physical access
- Vulnerabilities that require social engineering
- Vulnerabilities that require unrealistic user interaction
- Vulnerabilities that are already known to us
- Vulnerabilities that are not reproducible
Qualifying Vulnerabilities
- Access to sensitive data (private key, passphrase)
- Cross-Site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- Local File Disclosure (LFD)
- Access Control Issues (permission bypass, etc.)
- Directory Traversal Issues
- Exposure of configuration files or secrets (server private key)
Non-qualifying Vulnerabilities
- Bugs that have been publicly reported in previous security audits and currently not fixed
- Outdated development dependencies
- Bugs that are reliant on pre-existing control of the victim's operating system (keylogger, memory dumping)
- Bugs requiring the use of another malicious 3rd party browser add-on
- Bugs resulting of the impersonation of another user when the passbolt registration is set to open
- Bugs requiring the manual installation of a modified version of the passbolt web extension (by email, etc.)
- Email content spoofing prompting a user to perform an account recovery on a different passbolt instance
- Self inflicted password deletion or data damage even if they affect other users
- Self inflicted XSS (using dev tools / console)
- Issues related to baseline webserver such as the SSL certificate or configuration, outdated operating system and libraries, unsecure php configuration, etc.
- Issues related to unsecure and non recommended baseline passbolt configuration such as the use of default OpenPGP keys, disabled https, or debug or selenium testing modes enabled
- Issues related to email configuration (DKIM, SPF)
- Denial of service
- Bugs that involve physical attacks or social engineering against passbolt contributors or add-ons / app store reviewers
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Vulnerabilities in outdated versions of Passbolt
- Username/email enumeration
- CSV injection (OS Command Injection in CSV file export)
How to Test
Please do not use the public website for vulnerability testing. You can find instructions on how to install Passbolt server components online. We offer a wide range of options including installation scripts, docker images, docker compose, virtual machines, etc.
If you need help installing the software, we'll be more than happy to help you. Passbolt Pro Edition requires a subscription key to be installed. You can request a free subscription key at [email protected].
Terms and Conditions
- We reserve the right to modify or cancel the program at any time
- We reserve the right to reject any submission
- We reserve the right to determine the severity and reward amount
- We reserve the right to modify the scope at any time
- We reserve the right to modify the terms and conditions at any time