# Security Policy ## Supported Versions | Version | Supported | | -------- | ------------------ | | 6.4.x | :white_check_mark: | | <= 6.3.x | :x: | ## Reporting a Vulnerability If you've found a security vulnerability in Zammad, please report the vulnerability exclusively via email to [security@zammad.com](mailto:security@zammad.com). To send us a secure message, please use our public key below: ```rsa -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZVsi2RYJKwYBBAHaRw8BAQdAIm/0t+RboVPq5syrc0n9hP3UPH7xok7mNCqM 5R39oZi0JVphbW1hZCBTZWN1cml0eSA8c2VjdXJpdHlAemFtbWFkLmNvbT6ImQQT FgoAQRYhBARIHz68FJQ7lF5Ox7snHWG50ZiEBQJlWyLZAhsDBQkSzAMABQsJCAcC AiICBhUKCQgLAgQWAgMBAh4HAheAAAoJELsnHWG50ZiEM+MBAMMdppJHzPNRdgke bv7+z591+LrQqsKJUBUHjlujsxrbAQCF9RRf2CSTaF2SBD9vrGxdL58Bb/AVs1t6 ZX/Xf/ozDLg4BGVbItkSCisGAQQBl1UBBQEBB0DtyQW5YnpS1MQ+umPKax706r+R RJZRO63fma5e+rhaKgMBCAeIfgQYFgoAJhYhBARIHz68FJQ7lF5Ox7snHWG50ZiE BQJlWyLZAhsMBQkSzAMAAAoJELsnHWG50ZiE9w8BAKj36yLaf7do05ObiTjpFR5P iDa6aRHJSWDpdut8Q19jAQCfH1WZ2M/2VK0E03k6zcfc56m+z1gwdkq78dAunte2 BA== =GDpl -----END PGP PUBLIC KEY BLOCK----- ``` We will get back to you as soon as possible and inform you about the next steps. Accepted vulnerabilities will be disclosed via patch level release with accompanying security advisory. ## Rewards Every first reporter of a vulnerability may be credited in the related security advisory. Zammad does not offer financial compensation through a security bounty program. ## Process Overview - Potential security issues can be reported via security@zammad.com. - We evaluate them and provide timely feedback to the reporter. - There may be security releases created if needed, e.g. https://zammad.com/en/releases/6-3-1. - We publish security advisories for every acknowledged issue, like https://zammad.com/en/advisories/zaa-2024-04. - After their publication, we request CVE identifiers to be assigned to the advisories.