Skip to main content
Security in Comfora is a very important pillar and is treated as such with our Security Policy. This policy outlines how to report vulnerabilities and how to find them responsibly. Comfora follows responsible disclosure, and we hope our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the security vulnerability quickly and effectively, announce it’s existence and release the fixed version. This security policy applies to,
  • Comfora and Comfora Marketplace Organization
  • Comfora Servers & APIs
  • [Comfora] Scriptor
  • and any repository Comfora owns

What we classify as a vulnerability

is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is:

“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
If it is determined that the issue does qualify as a CVE, a CVE number will be issued to the reporter from GitHub. If your issue doesn’t classify as a CVE, we still appreciate in improving security for Comfora.

Reporting a vulnerability

If you discover a potential vulnerability, please report it responsibly through one of the following channels:
  • Email: security@comfora.org
  • GitHub: Submit a private security advisory via our repository’s advisory portal
We kindly ask that you do not disclose the vulnerability publicly until we have confirmed and addressed the issue.