SECURITY.md

We take all security bugs seriously. Thank you for improving the security of iTop! We appreciate your efforts andresponsible disclosure and will make every effort to acknowledge your contributions.

Please send a procedure to reproduce iTop vulnerabilities toitop-security@combodo.com.

You can send us a standard "given / when / then" report, including iTop version, impacts, and maybe installed modules or data if they areneeded to reproduce.

Report security bugs in third-party modules to the person or team maintaining the module, and notify us of this report by sending an emailtoitop-security@combodo.com.

Report sent to us will be acknowledged within the week.

Then, a Combodo developer will be assigned to the reported issue and will:

• confirm the problem and determine the affected iTop versions
• audit the code to search any potential similar problems
• try to find a workaround if any
• create fixes for all releases still under maintenance
• send you the commit(s) for review
• send you the next version(s) that will contain the fix, and the estimated release dates

Security issues always take precedence over bug fixes and feature work.

The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance.

Once the fix is done and acknowledged by every stakeholder, it will be included in the next iTop version.
Mind we have at least 2 active branches (LTS and STS, seeiTop Community Releases [iTop Documentation])

The release communications will include the information of the vulnerability fix.

Corresponding GitHub advisories and CVE will be published 3 months after the iTop version release date so that iTop instances can be updated.