Skip to content

Security: SerNet/verinice

Security

SECURITY.md

Security Policy

Supported Versions

Only the latest version of verinice has all security updates.

Reporting a Vulnerability

Please e-mail verinice@sernet.de if you believe you have found a vulnerability in verinice. Minor security issues can be publicly reported on GitHub.

In your bug report, please try to cover the following info:

  • Proof of Concept: exact steps to reproduce the bug
  • How did you discover the vulnerability?
  • Your estimation of impact
  • Suggestions for a fix

When receiving a bug report, we will look at it internally before answering, so expect some delay until you get an answer. Once we confirmed and talked about the vulnerability, we will contact you.

Public Disclosure

Please give us up to 120 days to fix the vulnerability you reported, once the patch is public you can disclose it.

Hall of Fame

In this section we thank researchers who submitted critical vulnerabilities to us.

  • Frank Nusko (SECIANUS GmbH & Co. KG) RCE via insecure deserialization CVE-2021-36981
Learn more about advisories related to SerNet/verinice in the GitHub Advisory Database