Unless with a contrary advisory, only the last version of Zero-TOTP and Zero-TOTP rescue are supported and security updated.
You can find the version in the release section of each project's repository.
If you believe you have discovered a security vulnerability in Zero-TOTP, please report it to us by emailing developer@zero-totp.com. We ask that you do not report security vulnerabilities directly on GitHub, public forums, or any other public channel.
Please, encrypt all the sensitve information with the following PGP key
We evaluate reported vulnerabilities based on the following criteria:
- Impact: The severity and potential impact of the vulnerability.
- Likelihood: The likelihood of the vulnerability being exploited.
- Complexity: The complexity of exploiting the vulnerability.
You can use a CVSS 3 to evaluate the criticity of your findings. All findings with a CVSS score below 3 will not be necessarily treated and/or with an increased delay. Of course, most critical vulnerabilities will be treated before everything else, while the investigation is done.