The GIVE team takes the security of our software seriously. If you believe you have found a security vulnerability in any GIVE repository, please report it to us as described below.
GIVE will only ever be providing security updates for the most recent version of its software. This should always be available as the most recently tagged version within this repository. We will not be providing security updates to versions that are not currently released into production.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them by emailing email give@gsa.gov. You should receive a response within 72 hours. If for some reason you do not, please follow up via email to ensure we've received your original message.
Please include the requested information listed below, or as much as you can provide, to help us better understand the nature and scope of the possible issue:
- Issue type (e.g. buffer overflow, SQL injection, cross-site scripting, etc)
- Full paths of source file(s) related to the manifestation of the issue
- Location of the effected source code (direct URL or tag/branch/commit)
- Step-by-step instructions on how to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.