Report Security Vulnerabilities

At ERPNext, we believe a complete ERP software is the one that is able to handle all your business operations including security. It is more secure than ever. It is not the perfect ERP software yet but we are actively looking for more security holes to plug.

If you find any security breaches, please report the issue to us via this form

In Scope Domains

  • *.erpnext.com
  • *.frappecloud.com

Out of Scope Domains

  • build.erpnext.com
  • gateway.erpnext.com
  • erpnext.atlassian.net
  • discuss.erpnext.com
  • Github Wikis
  • Credential or Info leak in test files

Rewards

Rewards will be based upon severity and the impact of the vulnerability to the system. The decision to evaluate the severity of the vulnerability lies completely with the Frappe Security team.

Qualifying Vulnerabilities

Any reproducible vulnerability that affects the security of our users is likely to be in scope.

Following is the list of qualifying vulnerabilites:

  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)
  • Code Injection
  • Buffer Overflow
  • Unvalidated Input
  • Broken Access-Control Problem
  • Race Condition
  • Weaknesses in Authentication & Authorization
  • Weaknesses in Cryptographic Practices
  • Privilege Escalation
  • CRLF Injection
  • CSRF (Cross Site Request Forgery)
  • IDOR (Insecure Direct Object References)
  • Open Redirect
  • HTTP Request Smuggling
  • Information Disclosure
  • Subdomain Takeover

Security Vulnerability Submission

It is important to include at least the following information in the email:

  • Organization and contact name
  • Your Reference / Advisory Number
  • Description of the potential vulnerability
  • Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
  • Information about known exploits
  • Disclosure plans, if any
  • If you want public recognition

Please allow a reasonable time (10-15 days) for us to confirm and respond to the issue after reporting. You will hear from us when it is absolutely necessary.

Policy

You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products or services. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.

  • Provide details of the vulnerability finding, including information needed to reproduce and validate the report
  • Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of ERPNext accounts that are not your own
  • Do not attempt to target ERPNext/Frappe employees or its customers, including social engineering attacks, phishing attacks or physical attack

Read More:

  • XSS and HTML Injection reports may not be rewarded unless the disclosed vulnerability is highly severe.
  • If your reported vulnerability is not addressed in 3 months then you can email us at security@frappe.io. Please refrain from sending requests to any other email-ids as they will not be addressed.
  • Please do not use 3rd party sites when doing testing (for instance, @xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS testing, please make sure that all of it goes through domains on you have control over. Thanks!

List of Known Vulnerabilities

To view a list of known vulnerabilities that have already been fixed in the system, please visit the CVE References Page.

Report a Vulnerability