Vulnerability and incident handling

Reporting security issues

Ver también

Please read Using AI to create issues in case you have used AI to discover a security issue in Weblate.

El equipo de desarrollo de Weblate está firmemente comprometido con la divulgación y los informes responsables de problemas relacionados con la seguridad. Hemos adoptado y seguimos políticas orientadas a entregar actualizaciones de seguridad a Weblate de manera oportuna.

Most normal bugs in Weblate are reported to our public GitHub issues tracker, but due to the sensitive nature of security issues, we ask them not to be publicly reported in this fashion.

Instead, if you believe you’ve found something in Weblate that has security implications, please submit a description of the issue to security@weblate.org, GitHub, or using HackerOne.

A member of the security team will respond to you within 48 hours, and depending on what action is taken, you may get more follow-up emails.

Nota

Sending encrypted reports

Si desea enviar un correo electrónico cifrado (opcional), utilice la clave pública de michal@weblate.org con ID 3CB 1DF1 EF12 CF2A C0EE 5A32 9C27 B313 42B7 511D. Esta clave pública está disponible en los servidores de claves más utilizados y en Keybase.

Consejo

Weblate depende de componentes de terceros para muchas cosas. En caso de que encuentre una vulnerabilidad que afecte a uno de esos componentes en general, infórmelo directamente al proyecto correspondiente .

Algunos de estos son:

• Django

• Django REST framework

• Python Social Auth

Vulnerability disclosure policy

Within 30 days following a release containing a vulnerability fix, a security advisory is published at https://github.com/WeblateOrg/weblate/security/advisories. The advisory is available immediately with a release when possible.

Any actively exploited vulnerability or severe incidents are notified to CSIRT within 24 hours, general info is provided to CSIRT within 72 hours, and a full report is provided within 14 days.

All users of Hosted or Dedicated Weblate impacted by a severe incident or an actively exploited vulnerability are notified within 7 days.