Reporting a Vulnerability

Reporting a Vulnerability

If you discover a security vulnerability in FOSSBilling, please do not disclose it publicly. Instead see below and follow our security policy (opens in a new tab) so we can take care of it without exposing more users to danger.

To report a vulnerability, please make a submission on (opens in a new tab). Their website should give you a good idea on how to make a good vulnerability report. It's important to make the submission there as it keeps the vulnerability private which helps ensure it can't be exploited while a patch is in the works.

If you have a suggestion that is related to security but not an actual expoloit, then creating an issue on GitHub is a suitable place.

Usually a good report should include which file(s) has the exploit, how the vulnerability could be exploited, the potential ramifications of the vulnerability, a proof of concept exploit, and if possible insight into a solution. A proper vulnerability report is awarded with a cash reward, if you provide a patch there is usually a reward with that as well.

Not a Vulnerability?

Reporting bugs This section guides you through submitting a bug report for FOSSBilling. Following these guidelines helps maintainers and the community understand your report 📝, reproduce the behavior 💻 💻, and find related reports 🔎.

Before creating bug reports, please check this list as you might find out that you don't need to create one. When you are creating a bug report, please include as many details as possible.

Note: If you find a Closed issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one.

Before Submitting A Bug Report Perform a cursory search to see if the problem has already been reported. If it has and the issue is still open, add a comment to the existing issue instead of opening a new one.

How Do I Submit A (Good) Bug Report?

A detailed guide can be found here: CONTRIBUTING (opens in a new tab). However if you're still unsure or it's too much to read drop a message on Discord (opens in a new tab).

Sometimes it might take some time to get a response. Please be patient!