This policy is relevant if you found potential vulnerabilities in an audit. We consider something as a vulnerability if it...

1. puts users or user data at risk
2. enables third parties to gain control or access (e.g. RATs, privilege escalation, ...)
3. abuses the system in an unintended way (e.g. crypto mining, proxy, ...)

We use GitHub's system for reporting vulnerabilities. Click here to report an advisory. Our team will get notified and will get back to you within 1-6 business days.

As a general guideline; please provide as much detail as possible and provide reproduction steps / documentation regarding the re-creation. You may also provide a fork with a fix for the vulnerability. See https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html for guidelines regarding disclosure.

If you're unable / unwilling (or it's not safe) to disclose vulnerabilites via GitHub, please report them with the subject "Security advisory - CVEXXX" to our email homarr-labs@proton.me. Please never disclose security vulnerabilits on your own publicly - we'd like to search for a dimplomatic solution that is also safe for our users.

In your initial contact with us, please provide details according to the OWASP guidelines for initial reports.

Thank you! We're looking forward to your report