The following security policy covers the QuickBox CE (Community Edition) as seen here within this GitHub repository. For reporting any suspected vulnerabilities within QuickBox Pro, please create a private listing within our QuickBox Labs (here).

The QuickBox Community Edition is under limited development and support. Meaning, it is a community aimed project. As such, any future developments are on hold as we focus on our QuickBox Pro project. We do however take reports of security issues seriously and will work to have these patched upstream in a timely manner. As such, any security reports and subsequent patches are posted upstream on a rolling commit basis covering latest versions as they are released within our master branch.

Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to QuickBox.IO privately, to minimize attacks against current users of QuickBox before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.

If you know of a publicly disclosed security vulnerability for QuickBox CE, please IMMEDIATELY contact sec@quickbox.io to inform the QuickBox.IO Team.

IMPORTANT: Do not file public issues on GitHub for security vulnerabilities

Please report (suspected) security vulnerabilities to sec@quickbox.io. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

Provide a descriptive subject line and in the body of the email include the following information:

• Basic identity information, such as your name and your affiliation or company.
• Detailed steps to reproduce the vulnerability.
• Description of the effects of the vulnerability on QuickBox and the related hardware and software configurations, so that the QuickBox Team can reproduce it.
• How the vulnerability affects QuickBox usage and an estimation of the attack surface, if there is one.
• List other projects or dependencies that were used in conjunction with QuickBox to produce the vulnerability.

We prefer all communications to be in English.