Thank you for improving the security of the project. I take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you find.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them to me by following the steps below:
- Email: Send an email to [email protected] with the subject "Security Vulnerability Report: Wakatime-Leaderboards".
- Discord: If you do not prefer the email method, then please reach out to me via Discord @nicconike, @Nicco#1741 or the Discord Server
- Open PGP Key: If possible, encrypt your message with my GPG key. You can download the GPG key from here.
- Information to Include:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
-
Download and install GPG software:
-
Download the public key from the Key Server:
- Open the OpenPGP server website in your browser
- Search the key using this fingerprint -
333675FF949C2CDDB86DBD64C82BDEDDEFDE338B
- Now click on the public key which will download the pub key file
333675ff949c2cddb86dbd64c82bdeddefde338b.asc
rsa4096/333675ff949c2cddb86dbd64c82bdeddefde338b
- Please rename the file to something more simpler like
public_key.asc
-
Import the public key:
- After downloading the public key file (
public_key.asc
), import it into your GPG keyring using the following command:gpg --import public_key.asc
- After downloading the public key file (
-
Verify the imported key:
- List the keys in your keyring to verify that the public key has been imported correctly:
gpg --list-keys
- List the keys in your keyring to verify that the public key has been imported correctly:
-
Encrypt your message:
- Create a text file containing your vulnerability report (e.g.,
vulnerability_report.txt
). - Encrypt the file using the public key:
gpg --encrypt --armor --recipient [email protected] vulnerability_report.txt
- This will create an encrypted file (e.g.,
vulnerability_report.txt.asc
).
- Create a text file containing your vulnerability report (e.g.,
-
Send the encrypted message:
- Share the encrypted file (
vulnerability_report.txt.asc
) to me via Discord [@nicconike] or the Discord Server
- Share the encrypted file (
You should receive a response within 24 hours. If for some reason you do not, please follow up via discord to ensure I received your original message.
I would prefer all the communications to be in English.
This Project follows the principle of Coordinated Vulnerability Disclosure.
Please see the docs of how to Privately reporting a security vulnerability
Version | Supported |
---|---|
> 1.1.0 | ✅ |
< 1.0.0 | ❌ |
Thank you for helping to keep the project secure!