Gravitee consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a serious vulnerability with a realistic and tested risk assessment we would like to know about it so we can take steps to address it as quickly as possible.

We would like to ask you to help us better protect our clients and our systems and submit:

• Critical risk vulnerabilities which could result in non-trivial data loss for Gravitee or our customers:

  • Bugs which could lead to sensitive massive/complete data leakage
  • Bugs leading to remote code execution
  • Bugs which can lead to private keys leakage or other cryptographic flaws

• High risk vulnerabilities that we would consider to be High risk would include:

  • Permanent subdomain takeover
  • XSS or CSRF resulting in significant security or privacy impact to customers
  • Ability to view, modify, or delete sensitive data in misconfigured on data repository
  • Authentication/Authorisation issues that allow bypass the security settings
  • Security misconfigurations that result in data leakage or system compromise
  • Bugs allowing unauthorised operations on user accounts, with a low amount of effort required to attack/compromise a large number users
  • Website, blogs or forums with relevant discussions on how to abuse Gravitee systems

Only after review, assessment and confirmation by the Gravitee Information Security Team a risk critical score will be determined.

CVSS V3 Score rating will be used as priority:

Low - 0.1 - 3.9

Medium 4.0 - 6.9

High - 7.0 - 8.9

Critical - 9.0 - 10.0

CVSS V2 Score rating will be used where no CVSS score is given:

Low - 0.1 - 3.9

Medium 4.0 - 6.9

High - 7.0 - 10.0

How to Submit To submit a vulnerability please use the following template:

• Name:
• Github ID:
• Vulnerability Severity:
• CVSS Score:
• Exploitable: Y/N
• Detailed report (Stating method, Screenshots, URLs):
• Tools Used:
• Recommended Remediation:
• E-mail your findings to bug@graviteesource.com using the subject "Vulnerability Submission".

Encrypt your findings using our public PGP key:

Gravitee Vulnerability Submission Key (For secure vulnerability submission) bug@graviteesource.com

• Key Server - http://keyserver.ubuntu.com - 143BCF595A63C85C
• Key Server - http://keys.openpgp.org - 5494 36E8 8AB5 311B C38B 9D08 143B CF59 5A63 C85C

-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZbOlQhYJKwYBBAHaRw8BAQdAiWEIdN4IjNriqcZ0srQngIFLMNaXA1pLQRhh tOulzEK0ZEdyYXZpdGVlIFZ1bG5lcmFiaWxpdHkgU3VibWlzc2lvbiBLZXkgKEZv ciBzZWN1cmUgdnVsbmVyYWJpbGl0eSBzdWJtaXNzaW9uKSA8YnVnQGdyYXZpdGVl c291cmNlLmNvbT6ImQQTFgoAQRYhBFSUNuiKtTEbw4udCBQ7z1laY8hcBQJls6VC AhsDBQkB4TOABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEBQ7z1laY8hc MVMBAMISKo4T1mCYSAiWEkusTq7O1KvANvoCMLBfk0+/wtrtAQCCQqFf2620iA1D YR5KhH+Y5NtmZFRUfHxGu6X69lEGD7g4BGWzpUISCisGAQQBl1UBBQEBB0DsO/eU ObJ6wgNbb3BPqDL1ypKKHNXYMK3jhQ0HqtbHUgMBCAeIfgQYFgoAJhYhBFSUNuiK tTEbw4udCBQ7z1laY8hcBQJls6VCAhsMBQkB4TOAAAoJEBQ7z1laY8hcYJsA/0o5 bISEh+wAuXrWd7E2Up+Qp4iMxfxPnrrJYzeCvB9RAP9EyJMbv6kqI172sLXf9WWn M/sAQgY4122K3lMYrbvdCw== =emeD -----END PGP PUBLIC KEY BLOCK-----

IMPORTANT NOTES:

• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data;
• Do not reveal the problem to others until it has been resolved;
• Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties; and
• Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. 

What we promise:

• We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date;
• If you have followed the instructions above, we will not take any legal action against you in regard to the report;
• We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission;
• We will keep you informed of the progress towards resolving the problem;
• In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise); 

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved."