FOSSBilling accepts vulnerability reports directly through GitHub, to open a new one simply click here. If you are looking for existing advisories, those can be found here on GitHub.

If you have a bug or a suggestion that is not related to an exploit, it should be reported via a new issue. (But please check if someone has already submitted it first!)

A well-written vulnerability report should include the following information:

• Identification of the file(s) affected by the exploit
• Description of how the vulnerability can be exploited
• Potential ramifications of the vulnerability
• A proof of concept exploit (if possible)
• Insights into a possible solution

Reports covering any of the following topics will be rejected by the FOSSBilling team:

• Reports describing the lack of granular permissions within FOSSBilling. This is a known limitation and the permission system will be completely replaced before FOSSBilling is considered production-ready (version 1.0.0).
• Reports from automated tools or scanners.
• Theoretical attacks without proof of exploitability.
• Attacks that are the result of a third party library should be reported to the library maintainers.
• Social engineering.
• Reflected file download.
• Physical attacks.
• Weak SSL/TLS/SSH algorithms or protocols.
• Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle).
• The user attacks themselves.
• Anything in /tests-legacy or tests.