The ComRent team and its contributors take the security of our software seriously. We appreciate your efforts to responsibly disclose your findings, and we will make every effort to acknowledge your contributions.
As this is a rapidly developing project, security updates are only applied to the most recent version on the main branch. We encourage all users to run the latest version of the code.
| Version | Supported |
|---|---|
| Latest | ✅ |
We are currently in the process of setting up a private reporting mechanism. In the meantime, we ask that you follow this process for reporting a vulnerability:
- Create a GitHub Issue: Go to the Issues tab of the repository and create a new issue.
- Provide a clear title: Your title should be descriptive, such as "Potential Cross-Site Scripting (XSS) in Admin Panel" or "Insecure Direct Object Reference in PC Status API".
- DO NOT include sensitive information in the public issue description. Please provide a general overview of the vulnerability and state that you are willing to share the details privately.
- Await contact: A project maintainer will contact you (if your GitHub profile provides a contact method) or will create a temporary private repository to discuss the details of the vulnerability.
We ask that you do not disclose the vulnerability publicly until we have had a reasonable amount of time to address it.
Once we establish a private channel, please include the following details in your report:
- A description of the vulnerability and its potential impact.
- The component or URL where the vulnerability can be found.
- Step-by-step instructions to reproduce the issue.
- Any proof-of-concept code, screenshots, or screen recordings.
- The browser, operating system, and any other relevant environment details.
If you follow this process, we will:
- Acknowledge receipt of your report in a timely manner.
- Provide you with an estimated timeline for addressing the vulnerability.
- Notify you when the vulnerability has been fixed.
- Credit you for your discovery (unless you prefer to remain anonymous).
Thank you for helping keep ComRent and its users safe.