Only the latest version of verinice has all security updates.

Please e-mail verinice@sernet.de if you believe you have found a vulnerability in verinice. Minor security issues can be publicly reported on GitHub.

In your bug report, please try to cover the following info:

• Proof of Concept: exact steps to reproduce the bug
• How did you discover the vulnerability?
• Your estimation of impact
• Suggestions for a fix

When receiving a bug report, we will look at it internally before answering, so expect some delay until you get an answer. Once we confirmed and talked about the vulnerability, we will contact you.

Please give us up to 120 days to fix the vulnerability you reported, once the patch is public you can disclose it.

In this section we thank researchers who submitted critical vulnerabilities to us.

• Frank Nusko (SECIANUS GmbH & Co. KG) RCE via insecure deserialization CVE-2021-36981