From 2a68c48e2a7fcc0dce962f4d37f77d3fbfa8aa7a Mon Sep 17 00:00:00 2001 From: James Cole Date: Sat, 16 May 2026 20:05:44 +0200 Subject: [PATCH] Update security reporting guidelines in security.md Clarified instructions for reporting false security issues. Signed-off-by: James Cole --- .github/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/security.md b/.github/security.md index 16cdfa053a..0cd625b284 100644 --- a/.github/security.md +++ b/.github/security.md @@ -10,7 +10,7 @@ disclosure and response policy to ensure that critical issues are responsibly ha 1. Any SSRF in any user provided URL field (webhooks, ntfy, SimpleFIN, Slack). It's by design that users may set-up any URL they want, be it internal, private or non-existing. 2. Any XSS issue without a viable attack tree. If you can find a spot where Firefly III or the associated tools render unescaped data, it's not a security issue unless you can show me an actual attack that gets that data into the system. -3. Any issue that is not true. AI models have already *hallucinated* security issues in Firefly III. They've referred to **non-existing** functions, templates and files. Including line numbers and code excerpts. Validate your findings. +3. Any issue that is not true. AI models have already *hallucinated* security issues in Firefly III. They've referred to **non-existing** functions, templates and files. Including line numbers and code excerpts. Validate your findings before you report them to me. ## Supported versions