If you discover a security vulnerability in Kurrier, please report it privately.
Email: security@kurrier.org
Please include:
- A description of the issue
- Steps to reproduce
- Potential impact
- Any proof-of-concept code or screenshots if applicable
Please do not disclose vulnerabilities publicly until they have been reviewed and addressed.
At the moment, security updates are primarily focused on the latest version of Kurrier.
Kurrier is a self-hosted email and collaboration platform. Vulnerabilities involving:
- Authentication
- Authorization
- Shared inbox access
- Message access
- Credential leakage
- Token/session handling
- SMTP/IMAP/DAV integrations
- Remote code execution
- SSRF
- Database access control
are considered especially important.
I will make a reasonable effort to:
- Acknowledge reports promptly
- Investigate issues responsibly
- Coordinate disclosure timelines where appropriate
- Release fixes as time and resources permit
Kurrier is currently maintained primarily by a single developer, so response times may vary.
Thank you for helping improve the security of the project.