We take all security bugs seriously. Thank you for improving the security of iTop! We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.

Please send a procedure to reproduce iTop vulnerabilities to itop-security@combodo.com.

You can send us a standard "given / when / then" report, including iTop version, impacts, and maybe installed modules or data if they are needed to reproduce.

Report security bugs in third-party modules to the person or team maintaining the module, and notify us of this report by sending an email to itop-security@combodo.com.

Report sent to us will be acknowledged within the week.

Then, a Combodo developer will be assigned to the reported issue and will:

• confirm the problem and determine the affected iTop versions
• audit the code to search any potential similar problems
• try to find a workaround if any
• create fixes for all releases still under maintenance
• send you the commit(s) for review
• send you the next version(s) that will contain the fix, and the estimated release dates

Security issues always take precedence over bug fixes and feature work.

The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance.

Once the fix is done and acknowledged by every stakeholder, it will be included in the next iTop version.
Mind we have at least 2 active branches (LTS and STS, see iTop Community Releases [iTop Documentation])

The release communications will include the information of the vulnerability fix.

Corresponding GitHub advisories and CVE will be published 3 months after the iTop version release date so that iTop instances can be updated.