Only the most recent stable version is supported.

Please report any security issues via email to security@getontracks.org. If you don't get a reply for your email, resend the email after one week. If there's still no reply, open an issue in the issue queue but do not disclose the details in the issue, only ask about the reply and status.

You can (and should) encrypt the email you send with OpenGPG key 0x8af45b6854414d2d, which you can find for example in pool.sks-keyservers.net.

Unfortunately Tracks is not part of a bug bounty program, but we do provide appropriate credits for disclosing security issues.

When a security vulnerability is reported to the maintainers, the maintainers first validate the vulnerability and preliminarily estimate the risk caused by the vulnerability.

Any security issue is kept strictly confidential until a fix is made and validated by the maintainers and, if necessary, the reporter. Any fixes are not committed to the public repository before publishing.

When a fix has been validated, the final risk assessment of the issue is done based on the latest version of the CVSS system and the criteria below.

A security advisory is a public announcement managed by the maintainers which informs instance maintainers about a security problem in the software and the steps instance maintainers should take to address it. On release it is published widely so that instance maintainers can address it quickly.

If necessary, the maintainers can decide to issue a pre-announcement informing the instance maintainers of an upcoming security advisory. This is done when timely addressing of the vulnerability is very important due to the high risk caused by it.

Security advisories are published for security vulnerabilities that

• Are caused by code included in the software repository (not any libraries or other code not itself in the repository),
• Exist in stable or release candidate releases (not alpha or beta releases or unreleased code),
• Are exploitable either without logging in or without admin privileges, and
• Affect either the whole instance or other users than the one running the exploit.

If the vulnerability does not warrant a security advisory, the vulnerability is fixed and released with a note in the release notes of the release. Details of the vulnerability as well as the risk assessment and grounds for not publishing a security advisory are included.