Skip to content

Security: Countly/countly-server

SECURITY.md

Security Policy

Security is very important to us. If you discover any issue regarding security, please disclose the information responsibly by sending an email to [email protected] and not by creating a GitHub issue.

All software related security bugs with severity of medium and higher will be awarded accordingly with a bug bounty reward.

Vulnerability levels

Critical Severity: software can be exploited at any time without any additional information

High Severity: some additional information, access or action required (from the user, like clicking on injected link) for software to be exploited

Medium Severity: the impact is limited (for example, can only access limited information) or requires special conditions to achieve it (when server is configured in specific way)

Low - no bounty rewards, does not directly lead to vulnerability, but provides a possibility (like exposing software version, which can be mapped to specific vulnerabilities), old dependencies, server misconfiguration

Exclusion

Server specific configurations and deployment specific configurations due to on premise nature of our software. All server configuration related issues will be reported to related departments/parties/companies, but we cannot guarantee any bounty rewards for them.

Learn more about advisories related to Countly/countly-server in the GitHub Advisory Database