Mojaloop Vulnerability Reporting Procedure
This procedure is for guiding the public on how security vulnerabilities should be reported safely and responsibly to the dedicated security team within Mojaloop. As representatives of the Mojaloop Community, we strongly encourage everyone to alert us of the potential security vulnerabilities privately first, before disclosing them in a public forum – a right everyone is entitled to without any permission whatever from us as the maintainer of the platform.
Contact firstname.lastname@example.org to report a security vulnerability in the Mojaloop codebase.
We cannot accept regular bug reports or other security related queries at these addresses. All mail sent to these addresses that does not relate to an undisclosed security problem in an Mojaloop project will be ignored.
NB. Security vulnerabilities should not be entered in a project's public bug tracker unless the necessary configuration is in place to limit access to the issue to only the reporter and the project security team.
Please send one plain-text email for each vulnerability you are reporting. We may ask you to resubmit your report if you send it as an image, movie, HTML, or PDF attachment when it could just as easily be described with plain text.
We have no restrictions whatsoever for the vulnerability type or method used to uncover the vulnerabilities. The public is welcome to use any methods or tools available to them, including analysis of the source, and apply any methodology of their own in finding vulnerabilities, provided that the vulnerability report is clear and self-descriptive.
We use standard TLS encryption in our mail systems however should the reporter requires additional layer security before sending the info then we are flexible to cater for that on a case by case basis by contacting email@example.com
Further information regarding handling of published vulnerabilities for an Mojaloop project can usually be found on the project’s GitHub Account. If you cannot find the information you are looking for on GitHub, you should ask your question on the project's user mailing list above.
An overview of the vulnerability handling process is:
- The reporter reports the vulnerability privately to Mojaloop.
- The appropriate project's security team works privately with the reporter to resolve the vulnerability.
- A new release of the Mojaloop package concerned is made that includes the fix.
- The vulnerability is publicly announced to the Mojaloop Community