Skip to content

Security: delight-im/Localize

Security

SECURITY.md

Security

Vulnerability disclosure

Disclose bugs and vulnerabilities for Localize

Project description

# Why we build this

We believe that everybody should be able to use software in their own language.

While software has a rapidly growing impact on our lives, only a much too small fraction of popular applications and websites is available in "enough" languages.

Tools that simplify localization of software can help make every program available every language -- and users often love to help!

> If you talk to a man in a language he understands, that goes to his head. If you talk to him in his language, that goes to his heart.
> — *Nelson Mandela*

Localize is open-source and checking out [our GitHub repository](http://source.localize.im/) may make finding and reporting bugs even easier.

# Scope of bugs

We are interested in all (security-related) bugs on our website at [www.localize.im](https://www.localize.im/). The following categories show what's most important to us and our users:

 * SQL injection
 * Session hijacking/fixation
 * Remote code execution
 * Cross-site scripting (XSS)
 * Cross-site request forgery (CSRF)
 * Privilege escalation
 * Content sniffing (MIME sniffing)
 * Email injection
 * Data theft

We are currently **not** interested in reports of the following weaknesses:

 * Denial of Service (DoS)
 * Brute force attacks
 * Information disclosure in HTTP headers `Server`, `X-Powered-By` or `Via`
 * HTTP Strict Transport Security (HSTS): duration too short
 * Apache/PHP: not the latest version
 * Password fields: missing `autocomplete="off"`
 * username enumeration

# Public disclosure

We'd like to disclose any bug publicly, if you agree with that. We don't want to hide our mistakes and want to be open about the bugs, just as the software itself is open-source.

# Bounties and rewards

Unfortunately, we cannot offer any financial rewards right now, as this project is open-source without any revenue. We hope that public credit and the feeling of having done good may be gratifying.

There aren’t any published security advisories