Thank you for helping to keep Bonfire and the fediverse safe!

Use this section to tell people about which versions of your project are currently being supported with security updates.

If you believe you have found a security vulnerability in Bonfire, please do not open a public issue. Instead, report it privately by emailing us at [email protected] or via Signal.

• Please include as much detail as possible to help us understand and reproduce the issue.
• If possible, include steps (including commands and code) to reproduce, potential impact, and suggestions for remediation.
• If the issue affects other fediverse projects, please mention them. We are happy to coordinate with other teams for coordinated disclosure.

While researching, we'd like to ask you to refrain from:

• Spamming
• Denial of service
• Social engineering (including phishing)
• Testing or targeting project infrastructure (e.g., our hosted Bonfire instances, websites, object storage, or email services).

As Bonfire is open source, please run your own instance for testing, rather than targeting any instance hosted by others.

We ask that you:

• Give us a reasonable amount of time to respond and fix the vulnerability before any public disclosure.
• Do not exploit the vulnerability beyond what is necessary to demonstrate the issue to the project maintainers.

We aim to respond within 5 working days and will keep you updated on our progress.

If you have used AI in the creation of the vulnerability report, you must disclose this fact in the report and you should do so clearly. We may of course doubt all "facts" and claims in reports where an AI has been involved. You should check and triple-check all claims by an AI before passing on such reports to us.

• Always run the latest supported version.
• Keep your server software and dependencies up to date (e.g. Linux, Docker, Postgres, etc).
• Review our docs for secure configuration tips.

When a vulnerability is fixed, we will publish a security advisory on the Security Advisories page and announce it on our project website and fediverse account @[email protected].

Submitted reports may be published after the issue has been resolved and the information is no longer sensitive, in line with our commitment to transparency as an open source project.

We thank all security researchers and contributors for helping make Bonfire safer for everyone in the fediverse.