The developers of CertBox aim to make security a priority for the project. This document describes our policy for handling security vulnerabilities within the CertBox software.

Only the most recent release of CertBox is supported. Older versions are not supported and may contain unfixed security vulnerabilities.

Please do not report security vulnerabilities as issues on Github as these are visible to the public.

Depending on the severity of the issue, which may be larger than you think, we ask that we keep reports private until we can determine the scope of the issue.

Please contact the lead developer, Ian Spence, using the Signal number available on his website

Do you offer any form of reward for identifying security issues? We do not run a bug bounty program and do not offer monetary rewards. CertBox is an open source project with absolutely no budget. All expenses for the project are donated. We will provide credit to you (of a name of your choice and single link to a social media profile) in release notes for discovered issues.