Please report any suspected security vulnerabilities privately to [email protected]. Please do NOT create publicly viewable issues for suspected security vulnerabilities.
We will acknowledge receipt of your vulnerability report as soon as possible and strive to send you regular updates about our progress. If you're curious about the status of your disclosure please feel free to email us again. If you want to encrypt your disclosure email please email us to ask for our PGP key.
Please refrain from requesting compensation for reporting vulnerabilities. If you want we will publicly acknowledge your responsible disclosure. We also try to make the issue public after the vulnerability is announced. Usually bug reports are made public after 30 days, if possible.
You are not allowed to search for security vulnerabilities on any hosted service of Reposeed Server without the consent of the party hosting it. Reposeed Server is open source software and can be installed for testing and security issues on your own infrastructure.