Please do not open a public GitHub issue for security vulnerabilities.
Email mataruso@gmail.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
You'll receive an acknowledgement within 48 hours. We aim to release a fix within 14 days of confirming the issue.
The following are in scope:
- Authentication and session management
- Multi-tenant data isolation (one tenant accessing another's data)
- Provisioning endpoint leaking credentials
- SQL/command injection in any endpoint
- SIP password exposure
- Issues in upstream dependencies (GenieACS, Postgres, nginx) — report those upstream
- Denial of service via resource exhaustion
- Issues requiring physical access to the server