The Storm team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to security@zantvoort.biz.
Include as much of the following information as possible to help us understand and resolve the issue quickly:
- Type of vulnerability (e.g., SQL injection, remote code execution, information disclosure)
- Full paths of the source file(s) related to the vulnerability
- The Storm module(s) affected
- Step-by-step instructions to reproduce the issue
- Proof of concept or exploit code (if available)
- Impact assessment of the vulnerability
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.
- Status update: We will provide an initial assessment and status update within 7 days.
- Resolution: We aim to release a fix for confirmed vulnerabilities as quickly as possible, depending on the severity and complexity of the issue.
You will be kept informed of our progress throughout the process.
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| Current release | Yes |
| Previous minor release | Yes |
| Older versions | No |
If you are using an unsupported version, we recommend upgrading to a supported release to receive security fixes.
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, destruction of data, and disruption of services.
- Only interact with accounts you own or with explicit permission of the account holder.
- Do not exploit a security issue you discover for any reason other than to report it.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it publicly.
- Do not submit a high volume of low-quality reports.
We will not take legal action against researchers who discover and report security vulnerabilities in accordance with this policy. We consider security research conducted in compliance with this policy to be authorized, and we will work with you to understand and resolve the issue quickly.
When a security vulnerability is confirmed and resolved, we will:
- Release a patched version as soon as possible.
- Publish a security advisory on GitHub with details about the vulnerability and the fix.
- Credit the reporter (unless anonymity is requested).
For any questions about this security policy, please contact storm@zantvoort.biz.