mirror of
https://github.com/firefly-iii/firefly-iii.git
synced 2026-06-09 11:55:07 +00:00
Merge branch 'main' into develop
This commit is contained in:
James Cole
8
.github/security.md
vendored
8
.github/security.md
vendored
@@ -3,6 +3,14 @@
|
||||
Firefly III is an application to manage your personal finances. As such, the developer has adopted this security
|
||||
disclosure and response policy to ensure that critical issues are responsibly handled.
|
||||
|
||||
## AI-generated security advisories
|
||||
|
||||
> [!WARNING]
|
||||
> Due to a large number of irrelevant, noisy and uninformed AI-generated security advisories coming my way, reporting any the following security issues may return in a permanent ban from the Firefly III organization on GitHub.
|
||||
|
||||
1. Any SSRF in any user provided URL field (webhooks, ntfy, SimpleFIN, Slack). It's by design that users may set-up any URL they want, be it internal, private or non-existing.
|
||||
2. Any XSS issue without a viable attack tree. If you can find a spot where Firefly III or the associated tools render unescaped data, it's not a security issue unless you can show me an actual attack that gets that data into the system.
|
||||
|
||||
## Supported versions
|
||||
|
||||
Only the latest Firefly III release is maintained. Applicable fixes, including security fixes, will not be backported to
|
||||
|
||||
Reference in New Issue
Block a user