Reporting a vulnerability
If you have discovered a security issue in FileMorph or in this deployment, please email [email protected] with a clear description of the issue and any steps required to reproduce it. Encrypted mail is welcome — request our PGP key at the same address if needed.
For issues in the open-source codebase itself, you may alternatively use GitHub Security Advisories. That channel is preferred for issues that affect every self-hosted instance, since the repository maintainers can coordinate a CVE and release a patched version centrally.
What to include in a report
- A description of the vulnerability and its potential impact.
- Steps to reproduce, including any required configuration or input files.
- Affected version (commit hash or release tag if known).
- Whether the issue has been disclosed publicly elsewhere.
Our response
- Acknowledgement: within 72 hours of receipt.
- Initial triage: within 7 days, including a severity assessment.
- Fix timeline: critical issues within 7 days, high severity within 30 days, medium/low within the next regular release.
- Coordinated disclosure: we publish an advisory once a fixed release is available, and credit reporters who wish to be named.
Scope
In scope:
- The FileMorph application source code (this repository).
- The official Docker images and release artifacts.
- Documented API endpoints and the web UI.
Out of scope:
- Third-party services we depend on (Stripe, Zoho, Cloudflare, Hetzner) — please report to those vendors directly.
- Issues that require physical access to a self-hosted server, or social engineering of an operator.
- Reports generated solely by automated scanners without a working proof-of-concept.
- Self-hoster-specific deployment misconfiguration that is not caused by our defaults or documentation.
Safe-harbour
Good-faith research in line with this policy will not result in legal action from the FileMorph project. Please avoid privacy violations, service disruption, and data destruction; test against your own self-hosted instance whenever possible.