Skip to content

Security: kurrier-org/kurrier

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Kurrier, please report it privately.

Email: security@kurrier.org

Please include:

  • A description of the issue
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code or screenshots if applicable

Please do not disclose vulnerabilities publicly until they have been reviewed and addressed.

Supported Versions

At the moment, security updates are primarily focused on the latest version of Kurrier.

Scope

Kurrier is a self-hosted email and collaboration platform. Vulnerabilities involving:

  • Authentication
  • Authorization
  • Shared inbox access
  • Message access
  • Credential leakage
  • Token/session handling
  • SMTP/IMAP/DAV integrations
  • Remote code execution
  • SSRF
  • Database access control

are considered especially important.

Response Process

I will make a reasonable effort to:

  • Acknowledge reports promptly
  • Investigate issues responsibly
  • Coordinate disclosure timelines where appropriate
  • Release fixes as time and resources permit

Kurrier is currently maintained primarily by a single developer, so response times may vary.

Thank you for helping improve the security of the project.

Learn more about advisories related to kurrier-org/kurrier in the GitHub Advisory Database