漏洞與事件處理

報告安全問題

也參考

如果您曾使用 AI 發現 Weblate 的安全問題，請閱讀 使用 AI 建立 issues。

Weblate’s development team is strongly committed to responsible reporting and disclosure of security-related issues. We have adopted and follow policies that are geared toward delivering timely security updates to Weblate.

Most normal bugs in Weblate are reported to our public GitHub issues tracker, but due to the sensitive nature of security issues, we ask them not to be publicly reported in this fashion.

Instead, if you believe you’ve found something in Weblate that has security implications, please submit a description of the issue to security@weblate.org, GitHub, or using HackerOne.

A member of the security team will respond to you within 48 hours, and depending on what action is taken, you may get more follow-up emails.

備註

發送加密的報告

If you want to send an encrypted email (optional), please use the public key for security@weblate.org with ID 8EA7 6E43 0976 3323 C2E3 D5A0 C472 9F23 8A80 EA93.

This public key is available on the most commonly used key servers, using WKD or directly from weblate.org.

提示

Weblate 在很多事情上依賴於第三方組件。如果您發現一個影響這些組件的漏洞，請直接報告給相應的專案。

Some of these are:

• Django

• Django REST 框架

• Python Social Auth

也參考

• 在 Weblate 中匯報問題

漏洞揭露政策

Within 30 days following a release containing a vulnerability fix, a security advisory is published at https://github.com/WeblateOrg/weblate/security/advisories. The advisory is available immediately with a release when possible.

Any actively exploited vulnerability or severe incidents are notified to CSIRT within 24 hours, general info is provided to CSIRT within 72 hours, and a full report is provided within 14 days.

All users of Hosted or Dedicated Weblate impacted by a severe incident or an actively exploited vulnerability are notified within 7 days.