To set the background, we define a "weakness" as a condition in software, firmware, hardware, or service components that, under certain circumstances, could contribute to the introduction of vulnerabilities. These vulnerabilities can result in various data-related problems, such as leaking users' private data or modifying system data to cause operational harm. For more information about our perspective on this topic, we encourage you to review what the Common Weakness Enumeration (CWE) employs for its goals. To do so, you can refer to the CWE FAQs'.

In SLC-wms, we prioritize the security of our software and its services. We are committed to doing our utmost to mitigate any weaknesses outlined by MITRE in the CWE, ensuring that our software remains secure, at the very least, against their updated Top 25 most dangerous weaknesses each year. However, recognizing our human fallibility, we acknowledge the possibility of lapses in our mission, and this is where your assistance becomes valuable. But, please ensure to review our protocol for reporting any security weaknesses before reaching out, and thank you in advance.

Please do NOT report security weaknesses through GitHub issues.

As that could make public a vulnerability that wasn't discovered yet. Instead, please report your found ASAP to any of our maintainers by a private message on the Slack server, you should receive a response within 24 hours.

To help us better understand the nature and scope of the possible issue, please include the requested information listed below, as much as you can provide is greatly appreciated:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• The location of the affected source code (ideally the URL)
• Full paths of source file(s) related to the manifestation of the issue
• Step by step instructions to reproduce the issue
• Any other special configuration required to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Any ideas on how to fix it are greatly appreciated as well!

This information will help us triage your report more quickly. Finally, we prefer all communications to be in English, but feel free to use whatever language you want, we'll try our best to communicate back.