Report Security Vulnerabilities

At Frappe, we believe a complete ERP software is the one that is able to handle all your business operations including security. It is more secure than ever. It is not the perfect ERP software yet but we are actively looking for more security holes to plug.

If you find any security breaches, please report the issue to us by emailing to security@frappe.io

In Scope Domains

  • *.erpnext.com
  • *.frappecloud.com

Out of Scope Domains

  • build.erpnext.com
  • gateway.erpnext.com
  • erpnext.atlassian.net
  • discuss.erpnext.com
  • Github Wikis
  • Credential or Info leak in test files

Security Vulnerability Report

It is important to include at least the following information in the email:

  • Organization and contact name
  • Your Reference / Advisory Number
  • Description of the potential vulnerability
  • Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
  • Information about known exploits
  • Disclosure plans, if any
  • If you want public recognition

Please allow a reasonable time (10-15 days) for us to confirm and respond to the issue after reporting. You will hear from us when it is absolutely necessary.

Policy

You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.

  • Provide details of the vulnerability finding, including information needed to reproduce and validate the report
  • Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of ERPNext accounts that are not your own
  • Do not attempt to target ERPNext/Frappe employees or its customers, including social engineering attacks, phishing attacks or physical attack

Read More:

  • If your reported vulnerability is not addressed in 3 months then you can email us at security@frappe.io. Please refrain from sending requests to any other email-ids as they will not be addressed.
  • Please do not use 3rd party sites when doing testing (for instance, @xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS testing, please make sure that all of it goes through domains on you have control over. Thanks!

List of Known Vulnerabilities

To view a list of known vulnerabilities that have already been fixed in the system, please visit the CVE References Page.