Reporting security vulnerabilities is of great importance for us, as DocIntel is used in multiple critical infrastructures.

In the case of a security vulnerability report, we ask the reporter to send it directly to antoine@docintel.org, if possible encrypted with the following GnuPG key: 0xa3d0f2782b093772. We will attempt to fix reported and confirmed security vulnerabilities as soon as possible, followed by a software release containing the fixes within the following days.

If you report security vulnerabilities, do not forget to tell us if and how you want to be acknowledged and if you already requested CVE(s). Otherwise, we will request the CVE(s) directly.

As we aim at DocIntel being largely used by CSIRT community, it is our duty to clearly state which bug could be abused and have a security impact on a DocIntel instance. CVE assignment is performed even for minor bugs suspected of having a security impact. This allows every user with DocIntel instances set up in their environments to understand which bugs could impact their security.

We firmly believe that, even though unfortunately it is often not regarded as common practice in our industry, being as transparent as possible about vulnerabilities, no matter how minor, is of crucial importance. At DocIntel, we care about the security of our users and prefer to have a high number of published CVEs rather than sweeping some of them under the rug.