SECURITY.md

The FreeCAD project is a FOSS (Free and Open-Source Software) project that has a community of thousands of users andhundreds of developers worldwide. We encourage responsible reporting of security vulnerabilities that may affect usersof this software, and will endeavor to address these vulnerabilities when they are discovered.

FreeCAD does not have a program to pay bounties for security bugs. If you discover a vulnerability that affects a partof the FreeCAD project (either directly in FreeCAD, in a library it depends on, or in any of the various othersubprojects such as our website, forums, etc.) we ask you to join the large community of volunteer contributors andfile a report about the issue.

Note that funds may be available from theFreeCAD Project Association (FPA) to pursuesecurity research and/or the development of fixes to any vulnerabilities discovered. However, vulnerabilities held ashostage in demands for "bounties" will not be entertained. Contact the FPA atfpa@freecad.org for more information.

The Addon Manager implements security fixes to the main branch: the head of that branch is considered the latestrelease, even if it has not yet been synchronized with the main FreeCAD source repository. Users can always updatetheir copy of the Addon Manager to the latest version.

To report a vulnerability use GitHub's security reporting tool:https://github.com/FreeCAD/AddonManager/security/advisories/new

There aren’t any published security advisories