|
|
@@ -6,8 +6,8 @@ This file contains some policies about the security reports on Dolibarr ERP CRM
|
|
|
|
|
|
| Version | Supported |
|
|
|
| --------- | ------------------ |
|
|
|
-| <= 9.0.* | :x: |
|
|
|
-| >= 10.0.* | :white_check_mark: |
|
|
|
+| <= 12.* | :x: |
|
|
|
+| >= 13.* | :white_check_mark: |
|
|
|
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
@@ -23,11 +23,11 @@ If you believe you've found a security bug in our service, we are happy to work
|
|
|
|
|
|
Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and Dolibarr infrastructure.
|
|
|
|
|
|
-We recommand to install Dolibarr ERP CRM on you own server (as most Open Source software, download and use is free: https://www.dolibarr.org/download) to get access on every side of application.
|
|
|
+We recommand to install Dolibarr ERP CRM on your own server (as most Open Source software, download and use is free: https://www.dolibarr.org/download) to get access on every side of application.
|
|
|
|
|
|
### User Agent
|
|
|
|
|
|
-If you try to find bug on Dolibarr, we recommend to append to your user-agent header the following value: '-BugHunting-dolibarr'.
|
|
|
+If you try to find bug on Dolibarr, we recommend to append to your user-agent header the following value: '-securitytest-for-dolibarr'.
|
|
|
|
|
|
### Account access
|
|
|
|
|
|
@@ -36,44 +36,32 @@ You can install the web application yourself on your own platform/server so you
|
|
|
|
|
|
## Eligibility and Responsible Disclosure
|
|
|
|
|
|
-We are happy to thank everyone who submits valid reports which help us improve the security of Dolibarr however, only those that meet the following eligibility requirements may receive a monetary reward:
|
|
|
+We are happy to thank everyone who submits valid reports which help us improve the security of Dolibarr however, only those that meet the following eligibility requirements will be "validated reports" (if not, we may close the report without any answer):
|
|
|
|
|
|
-You must be the first reporter of a vulnerability.
|
|
|
-
|
|
|
-The vulnerability must be a qualifying vulnerability (see below)
|
|
|
-
|
|
|
-Any vulnerability found must be reported no later than 24 hours after discovery
|
|
|
+You must be the first reporter of the vulnerability (duplicate reports are closed).
|
|
|
|
|
|
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
|
|
|
|
|
|
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second), that's why we recommand to install softwate on your own platform.
|
|
|
|
|
|
-You must not leak, manipulate, or destroy any user data.
|
|
|
-
|
|
|
-You must not be a former or current employee of Dolibarr or one of its contractor.
|
|
|
-
|
|
|
-Reports about vulnerabilities are examined by our security analysts.
|
|
|
-
|
|
|
-Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
|
|
|
-
|
|
|
-No vulnerability disclosure, including partial is allowed for the moment.
|
|
|
+You must not leak, manipulate, or destroy any user data of third parties to find your vulnerability.
|
|
|
|
|
|
|
|
|
## Scope for qualified vulnerabilities
|
|
|
|
|
|
-ONLY vulnerabilities discovered, when the following setup on test platform is used, are accepted:
|
|
|
+ONLY vulnerabilities discovered, when the following setup on test platform is used, are "validated":
|
|
|
|
|
|
* $dolibarr_main_prod must be set to 1 into conf.php
|
|
|
* $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value)
|
|
|
* $dolibarr_main_force_https must be set to something else than 0.
|
|
|
-* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be enabled soon by default)
|
|
|
+* The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be set to 1 soon by default)
|
|
|
* The module DebugBar must NOT be enabled (by default, this module is not enabled. This is a developer tool)
|
|
|
* The module ModuleBuilder must NOT be enabled (by default, this module is not enabled. This is a developer tool)
|
|
|
-* ONLY security reports on modules provided by default and with the "stable" status are allowed (troubles into "experimental", "developement" or external modules are not accepted).
|
|
|
+* ONLY security reports on modules provided by default and with the "stable" status are allowed (troubles into "experimental", "developement" or external modules are not valid vulnerabilities).
|
|
|
* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).
|
|
|
* The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly.
|
|
|
-* CSRF attacks are accepted for all when using a POST URL, but are accepted only for creating or updating data resctricted to the admin user when using GET URL.
|
|
|
-* Ability for a high level user to edit web site pages in the CMS by including javascript is an expected feature.
|
|
|
+* CSRF attacks are accepted for all when using a POST URL, but when using GET URL, they are validated only for creating or updating data resctricted to the admin user.
|
|
|
+* Ability for a high level user to edit web site pages into the CMS by including HTML or Javascript is an expected feature. Vulnerabilities into the website module are validated only if HTML or Javascript injection can be done by a non allowed user.
|
|
|
|
|
|
Scope is the web application (back office) and the APIs.
|
|
|
|
Laurent Destailleur