Documentation > Security > Vulnerability Reporting

Security Vulnerability Reporting

How to responsibly report security vulnerabilities and issues in SysManage.

🔒 Responsible Disclosure

We take security seriously. If you discover a security vulnerability, please follow our responsible disclosure process to help us address it quickly and safely.

Reporting Process

1

Initial Report

Send an email to security@sysmanage.org with details about the vulnerability. Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Your contact information
2

Acknowledgment

We will acknowledge receipt of your report within 48 hours and provide an initial assessment within 7 days.

3

Investigation

Our security team will investigate the issue and work on a fix. We may contact you for additional information or clarification.

4

Resolution

Once fixed, we will notify you and coordinate the public disclosure timeline.

What to Report

🔴 Critical Vulnerabilities

  • Remote code execution
  • Authentication bypasses
  • Privilege escalation
  • Data exposure or leakage
  • Injection vulnerabilities (SQL, Command, etc.)

🟡 Medium Vulnerabilities

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Information disclosure
  • Denial of service attacks
  • Insecure configuration options

🟢 Low Impact Issues

  • Missing security headers
  • Information leakage in error messages
  • Weak encryption parameters
  • Insecure defaults

What NOT to Report

Please do not report the following as security vulnerabilities:

  • Issues requiring physical access to the system
  • Self-inflicted attacks (self-XSS)
  • Missing best practices without security impact
  • Issues in third-party software (report to respective vendors)
  • Social engineering attacks
  • Brute force attacks without demonstrable impact

Disclosure Guidelines

✅ Please Do

  • Provide detailed reproduction steps
  • Use test environments when possible
  • Allow reasonable time for fixing
  • Keep the vulnerability confidential until resolved
  • Report one vulnerability per email

❌ Please Don't

  • Access or modify user data
  • Disrupt service availability
  • Test on production systems
  • Publicly disclose before resolution
  • Violate privacy or laws

Contact Information

📧 Email

security@sysmanage.org

Primary method for vulnerability reports

🔐 PGP Key

For sensitive reports, use our PGP key:

Key ID: 0x1234567890ABCDEF

Download Public Key

🐛 GitHub

For non-security bugs and issues:

GitHub Issues

Recognition

We appreciate security researchers who help improve SysManage's security. Responsible reporters will be:

  • Acknowledged in our security advisories (with permission)
  • Listed in our Hall of Fame
  • Provided updates on fix progress
  • Thanked publicly after resolution

Security Hall of Fame

Thank you to all security researchers who have helped improve SysManage's security through responsible disclosure.