Reporting a security issue in Tuleap

All security bugs in Tuleap should be reported by emailing security@tuleap.org.

A member of our security team will your vulnerability report within 3 business days, and you will receive a response indicating the next steps in handling your report.

Vulnerabilities in third-party applications should be reported to their respective maintainers. The Tuleap security team is not responsible for the security of these applications but will attempt to contact the third-party maintainer if an issue is brought to his attention.

If you feel it is necessary, you can use the GPG key displayed below to transmit securely your report.

Any efforts made for improving the security of the Tuleap software or its users will be greatly appreciated by the Tuleap community. If you want your disclosure will be publicly acknowledged in the public report. Please refrain from requesting compensation for reporting vulnerabilities. At this time the Tuleap project does not deliver bounties.

Issues not affecting the security of the Tuleap software but of one of the services managed for the Tuleap community (such as issues affecting the tuleap.org website) can be reported under the same guidelines but do not warrant a public acknowledgment. SPF, DKIM, or DMARC issues in one of the services managed for the Tuleap community must not be reported.

Coordinated Disclosure Guidelines

The Tuleap community would be grateful if security researchers comply with the following guidelines while researching and reporting vulnerabilities:

  • Do not test for vulnerabilities on instances you do not own. Tuleap is an open-source software, you can install your own copy or use our Docker image to quickly get a playground.
  • Confirm the vulnerability exists in the most recent stable or development version.
  • Allow the security team enough time to correct the reported vulnerability before publicly identifying or disclosing it.

Our security team follows the following guidelines:

  • Vulnerability reports can take some time to be resolved but every effort will be made to handle a bug in as timely a manner as possible.
  • Advisories for the reported vulnerabilities are made public one week after the publication of a major Tuleap release including the fix in the Tuleap bug report tracker.
  • Security researchers and their findings are respected and will be publicly acknowledged if they wish.
  • No legal threats nor punitive actions against security researchers for reporting vulnerabilities will be made.

security@tuleap.org GPG Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFh01x4BEAC/+2DW+9fOu4+D0UuR1Ww0knCVc88cPpPuGSLbF0aPmcVrM8Lv
P13P9Jqv38hmu9rdhEGdx6oOaRUSPIMinwcP0Mre8kbjisv8sYk24tEy3k1f5F8H
Ad1pndm64YPn18UTIGHNJeeSCAhqAqm0bMfVy858QNqzgwKnjyTWMnbK6fVU4T6c
w8IR2JVDtah+/pI8zIUvKakSbcxU+MHW0CexZtMxnDZ4smBL/GgbmRW+kw63XeL+
1jIS8dXcW/qTx4iThXjGyM/3UAUkUIRnrif6op2J3g9Sp81TB6Syxyg6iugAqdDC
xh+zeB0UowxbZYLNEwdjVpJcA45sHMB1ldkjDgHD4CYnuOnoXO3qsu3rnoQJriP/
X/EDnVMvBLMTsp7lQEOSdu6cmF2DYZQruBVEE9vP0ZzRut4poi0h0wkQfGeexIwR
J3fSiC08fw2XMliGL7WqgEOsGnHjF/cKF9dqjJ2355ROrWEHoOgxou0jYG+JcWf+
wriwZofkDH+lgBMMYlA3nyLVjek9BMn1LCTYJhWwl0m0r6oozUH8I8Uw/BTIEIBD
YE8z04U7Z5cuWfyW1szi2RZ+OEi86A0v2A/nHXTYp0LrdE9sqgjjP5NZ165tGE93
QQui8QqscgasNuxshzq7s/9Qt/zAX8OOzk+x7oYfgTVCPnbmcl1rCEArgwARAQAB
tCpUdWxlYXAgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAdHVsZWFwLm9yZz6JAjcE
EwEKACEFAlh01x4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ+z39nE55
XxFRcRAApTO1ISEZpNmjIHl0k8ufEYXdo5oIhD7AVaYoKr6i/gjBvgoKh6QJtGCs
nkAGdieFUMhk2VdczlB+RGulTQZ1+pqcDUJQsYjKJKCH8LSBYaFhd0y6X4YLDCXM
HfbyvSLCpMhs6FXniZBjZLeWZg+0LfHFhjLl11n70d7rjIvTGoUfSdzG60hLc0P4
k+1bZtyoJRvsvwoY7aoP4zdp8fUCj9WLWUVFy64NKBXrlfpfbMfXN3WH+NB/uvPV
VCJUlOmlkVJXjxOOmvQwah6iH49baWLVcRp676cvreeuAA6+GKYzPlNd/aMwvZlt
hSiGOHoteShW/NLJAMgXXLi9m+v7xgFgqErFsLP0riAJ3F2EKBWgURfPRJ9L+v2W
HsPLvyIUPGeV7K39LiU1gJIBzWpOhUXIVek13AYhxy9LAX+1kpH8xuv1wx97rHCU
evu1JY7bu7Dj0m6l66R/ozDowRtsLq0Bu5BRHr4YPgGhKX1g0REirplTjbi7rRW1
byJDKY0dHuCkMPTiBVEtEI+5Xubs64SSIRDTQB7nJvTBdDADhpw3bMbydTTNHKnm
OT+ikDNfBN0ZVRWsgO95WKWZY7qixpKnTZl7D9+SeOTf50O577Q0rnhGDy/kLibe
FSJS27GuK6S47Qm5phjI+D9EApDKCi36f5nX042vxAQNB3QiL8S0KlR1bGVhcCBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUB0dWxlYXAubmV0PokCNwQTAQoAIQUCWHTX
3AIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRD7Pf2cTnlfEX+MD/wK67tp
cP36tpZpA+ysDmgvam/wKHU0BlovJsQQgoD1Saivl7wPtXRqkuMjH6rm+8MPhMkh
bXCStbHYIxBFD2ZrZL+Ir/o7XDJfzMfqgr3g8Mxaf6a8pz47duY7+ITDsOKxSnn2
iRQ1/aizL8JRViUY99ABEacdtHfsC6Nz7QyEUJ0GfP1MMPYSif2sFkd+vOy+X+qo
hIXVQEWiL0U33QuWHVAeIAPugVNCgyby6FSj30QGZ9ZvyF1HQIfhm6gwAOEtjqsI
jEikL3I8WNiuJEaBNH74cfPWbWNViF0wr6ZzWGZSofo1EdPHk4ywsmd9qoAREyn5
zDD+8/q19LoKS+FUe8HEhwZpLNT0if3/yrARjkA/hE1ZJKzpoCQA+swTfH1Xbj3V
HDFf7T1BTAoazdqBU38fBstLEVXDJjAKDhHib4O7LohGNGFBfV5OxbjFmKT45JaC
E+SUG5NIvFlUwQ3FhCcH/qlCC9KYGTDxvuitNs3QD/6V7g4ryc/sMfV8r8wgbsaR
SwVtti530JGPCkJNSLFwnuUHmle4zlz4WwwyJ2h2wz8uwYDHrvG127RlrJgWvmfu
11IocaKUh+MEzb6/SyD8dS7WnBZoh3C2F0oC8Mlqel6lrQ7Ctaj9bAQ1JwBHB+gC
JBwT88Bcsnca23ot5uQpZcpCp6aCjB86YcBrY7kCDQRYdNceARAAwLg0dtD9VEXY
IKkt2TQsEZAGgt6YvXblSPYl1sw72b2ImmCyMVAnuZS9dBxZCecP2yGA4wlBk5LN
g7DdJihMr5odtj/KQblBHLVX74GFqQwCaoFgvAKkJSVekseRGR4PtrmqMYakwRqw
LI2zcvt8mGIQtp+xlt2BE83gXsOEoubRQlItMs67oKLcXNPA2UKUQ3+IlYl/T1NA
clzcnlCXSTDW/OXdQfRKlAlD2zCYwstOjmBX+78GP7wkPb3ugpklNyhBlli2H073
GaxKNQ10SwpGXgWEgg9PNnLn7WdEvzzrfLFLbSZSGvxiiIsMPINfmtjRDDSVkp4h
pV+AiwHuEJ7uwu+KKBszCipkZzZ4o6OAi/GT0jEZgrQ+5CXjQyWGhE8FoX89NgoQ
w5cJasFRHLk+loOks3whnUz6hagFy2Opy6Vb4m8nN0zvNz62LwVsYjyVwHuT9EIC
YmmSouLz0MGgcj68aSB/37YCuV/EkTlAynULvrlizldh+QHef8fVw90ryzhczE7R
ZPrcZjZxhGfYLg98MA2/EwbTIpbO+epF1DT7NsCdtPFD/BQZJQk6u9in1ae+33yE
f58Blw+OzdfwdaersAWn0FznGcma5OnNy1CPtPA8gh9pxeVuq2TF5IZ7E1SVDkXE
tu5NctcOWgdzqJyMwRFTptWe6CSNt+MAEQEAAYkCHwQYAQoACQUCWHTXHgIbDAAK
CRD7Pf2cTnlfEaZlD/4gtXRT+8iTRhSg34LxDwc4T/jkixXuVziehV5PehGaZg6C
7YafonpCLUXjMq3cS/xPLnU/XKOynPfFQCt93sSWQpepZ8dYjZpP9hsKH+qTFyQf
ynNDUi3elhT8LzLhMl8aPqdctQ6WZdCWu3vQfgg57aWMSwiW1qpd017C0YLUHnUF
D4vLCAOecrtqrar07EsWSOGd/ARbJ/o/nR4IkMOhk0D/qMV99pGcNGgMys+wH4WX
ZjBg00mC9iUPQGRgrs36Cszw+gBiR7ci9OPiwsUaub8LXP1KbAlJNwsasBx1OHXn
qmjjAfzOiPdGCWqGmDepgroXX06wTsYnE2EC4x2uNGvZ6SOLKiFJeQYIKyJgzjb1
9Wf3EIVu055h6keUo0jD+7bxwFPu+RlBlitQ0Z4f6MVuzFNzT2KgorxNmOS+aqlN
J5uTFpu7/fYKXSbTWkCoAqq5lnrqJ66DRM7nWHCSiAVYYIH46nzwx/wKxjy6o7qa
7U+L6hE6sRs/oLpxWBIDNbQUpOFs5Z/eQcslGIY9IsqK4ZSp6F2zICKxsEeIm59v
XF+RlRdp8hckGf4f4PaS1LycaNT//qK9PH75ACBpp8BlrD4Y0Gmmi199MYhxVp5b
6TlmU1ldWwrCl5+MjHrLgkse5cU5niFWCwdyo4VCI3AcJMuMYd1f2l1exWfr7w==
=U8e8
-----END PGP PUBLIC KEY BLOCK-----