SECURITY_TEMPLATE.md

Stalwart Security Advisory

CVE ID: CVE-YYYY-NNNNN Publication Date: YYYY-MM-DD
Last Updated: YYYY-MM-DD

Summary

[Provide a brief, non-technical summary of the vulnerability in 1-2 sentences]

Affected Products and Versions

Product: Stalwart Mail and Collaboration Server

Affected Versions:

• Version X.X.X through Y.Y.Y
• [List specific affected version ranges]

Fixed Versions:

• Version Z.Z.Z and later
• [List all versions that include the fix]

Vulnerability Details

Description

[Detailed technical description of the vulnerability, including how it can be exploited]

Impact

[Describe the potential impact if this vulnerability is exploited]

CVSS Score

CVSS v3.1 Base Score: X.X ([SEVERITY])
Vector String: CVSS:3.1/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X

Severity Breakdown:

• Attack Vector: [Network/Adjacent/Local/Physical]
• Attack Complexity: [Low/High]
• Privileges Required: [None/Low/High]
• User Interaction: [None/Required]
• Scope: [Unchanged/Changed]
• Confidentiality Impact: [None/Low/High]
• Integrity Impact: [None/Low/High]
• Availability Impact: [None/Low/High]

CWE Classification

CWE-XXX: [Weakness Name]

Technical Details

Root Cause

[Explain the underlying cause of the vulnerability]

Attack Scenario

[Describe a realistic attack scenario or proof of concept, without providing exploit code]

Prerequisites

[List any conditions that must be met for successful exploitation]

Remediation

Recommended Actions

1. Immediate: Upgrade to version Z.Z.Z or later
2. Short-term: [Any temporary mitigation measures]
3. Long-term: [Any additional security hardening recommendations]

Upgrade Instructions

# Example upgrade commands
[Provide specific upgrade instructions for Stalwart]

Workarounds

[If applicable, describe any temporary workarounds for systems that cannot be immediately upgraded]

Note: Workarounds are temporary measures and do not fully resolve the vulnerability. Upgrading is strongly recommended.

Detection

Indicators of Compromise

[List any logs, patterns, or indicators that may suggest exploitation attempts]

Log Entries

[Example log entries that administrators should look for]

Timeline

• YYYY-MM-DD: Vulnerability discovered [by researcher/team name]
• YYYY-MM-DD: Vendor notified
• YYYY-MM-DD: Vendor acknowledged issue
• YYYY-MM-DD: Fix developed and tested
• YYYY-MM-DD: Fixed version released
• YYYY-MM-DD: Public disclosure

Credits

This vulnerability was discovered by [Researcher Name / Organization].

References

• Stalwart Mail Server: https://stalw.art/
• CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-NNNNN
• GitHub Advisory: [Link to GitHub Security Advisory if applicable]
• Release Notes: [Link to release notes with fix]

Contact Information

For questions or concerns regarding this advisory, please contact:

Security Team: hello@stalw.art
Website: https://stalw.art

To report security vulnerabilities in Stalwart, please follow our responsible disclosure policy.

Disclaimer

This advisory is provided "as is" without warranty of any kind. The information contained in this advisory is subject to change without notice.

---

Document Version: 1.0
Classification: Public