From 7d768cfa236cf67baa94e9ac3d79158237cb7505 Mon Sep 17 00:00:00 2001 From: James Cole Date: Sat, 16 May 2026 19:52:56 +0200 Subject: [PATCH] Add AI-generated security advisories section Added a section regarding AI-generated security advisories to clarify reporting policies and potential consequences. Signed-off-by: James Cole --- .github/security.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/security.md b/.github/security.md index 0ab2d4b642..9cb728a01d 100644 --- a/.github/security.md +++ b/.github/security.md @@ -3,6 +3,14 @@ Firefly III is an application to manage your personal finances. As such, the developer has adopted this security disclosure and response policy to ensure that critical issues are responsibly handled. +## AI-generated security advisories + +> [!WARNING] +> Due to a large number of irrelevant, noisy and uninformed AI-generated security advisories coming my way, reporting any the following security issues may return in a permanent ban from the Firefly III organization on GitHub. + +1. Any SSRF in any user provided URL field (webhooks, ntfy, SimpleFIN, Slack). It's by design that users may set-up any URL they want, be it internal, private or non-existing. +2. Any XSS issue without a viable attack tree. If you can find a spot where Firefly III or the associated tools render unescaped data, it's not a security issue unless you can show me an actual attack that gets that data into the system. + ## Supported versions Only the latest Firefly III release is maintained. Applicable fixes, including security fixes, will not be backported to