Report Security Vulnerabilities
At Frappe, we believe a complete ERP software is the one that is able to handle all your business operations including security. It is more secure than ever. It is not the perfect ERP software yet but we are actively looking for more security holes to plug.
If you find any security breaches, please report the issue to us by emailing to security@frappe.io.
*.erpnext.com
*.frappecloud.com
build.erpnext.com
gateway.erpnext.com
erpnext.atlassian.net
discuss.erpnext.com
Github Wikis
Credential or Info leak in test files
It is important to include at least the following information in the email:
Organization and contact name
Your Reference / Advisory Number
Description of the potential vulnerability
Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
Disclosure plans, if any
If you want public recognition
Please allow a reasonable time (10-15 days) for us to confirm and respond to the issue after reporting. You will hear from us when it is absolutely necessary.
You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.
Provide details of the vulnerability finding, including information needed to reproduce and validate the report
Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of ERPNext accounts that are not your own
Do not attempt to target ERPNext/Frappe employees or its customers, including social engineering attacks, phishing attacks or physical attack
If your reported vulnerability is not addressed in 3 months then you can email us at security@frappe.io. Please refrain from sending requests to any other email ids as they will not be addressed.
Please do not use 3rd party sites when doing testing (for instance, @xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS testing, please make sure that all of it goes through domains on you have control over. Thanks!
To view a list of known vulnerabilities that have already been fixed in the system, please visit the CVE References Page.
