Report Security Vulnerabilities
While we try to be proactive in preventing security problems, we do not assume they will never come up.
If you have found a security or an abuse risk related bug in a frappe or ERPNext product and want to report it to us, you have come to the right place. Please fill out the following form and we’ll be in touch shortly. If this is a valid vulnerability report it might also be eligible for a reward as part of our Vulnerability Reward Program. Thanks!
Rewards (According to Severity)
Rewards will be based upon severity and the impact of the vulnerability to the system. The decision to evaluate the severity of the vulnerability lies completely with the Frappe Security team.
Accepted Risk or Information - $0
Any reproducible vulnerability that affects the security of our users is likely to be in scope.
Following is the list of qualifying vulnerabilites:
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Code Injection
- Buffer Overflow
- Unvalidated Input
- Broken Access-Control Problem
- Race Condition
- Weaknesses in Authentication & Authorization
- Weaknesses in Cryptographic Practices
- Privilege Escalation
- CRLF Injection
- CSRF (Cross Site Request Forgery)
- IDOR (Insecure Direct Object References)
- Open Redirect
- HTTP Request Smuggling
- Information Disclosure
- Subdomain Takeover
In Scope Domains
Out of Scope Domains
- Github Wikis
- Credential or Info leak in test files
Security Vulnerability Submission
It is important to include at least the following information in the email:
- Organization and contact name
- Your Reference / Advisory Number
- Description of the potential vulnerability
- Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
- Information about known exploits
- Disclosure plans, if any
- If you want public recognition
Please allow a reasonable time (10-15 days) for us to confirm and respond to the issue after reporting. You will hear from us when it is absolutely necessary.
You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.
- Provide details of the vulnerability finding, including information needed to reproduce and validate the report
- Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of ERPNext accounts that are not your own
- Do not attempt to target ERPNext/Frappe employees or its customers, including social engineering attacks, phishing attacks or physical attack
- XSS and HTML Injection reports may not be rewarded unless the disclosed vulnerability is highly severe.
- If your reported vulnerability is not addressed in 3 months then you can email us at firstname.lastname@example.org. Please refrain from sending requests to any other email-ids as they will not be addressed.
- Please do not use 3rd party sites when doing testing (for instance,
@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS testing, please make sure that all of it goes through domains on you have control over. Thanks!
List of Known Vulnerabilities
To view a list of known vulnerabilities that have already been fixed in the system, please visit the CVE References Page.