ERPNext Foundation ERPNext Cloud User Manual Blog Discuss Frappé* Donate

Whats the security team contact information?

security

#1

Hi,

I found some security issues on ERPNext, how can I contact the security team?
I’ve tried https://erpnext.com/security/report, but seems no respond.

Thanks


#2

@nabinhait @netchampfaris can you help?


#3

Hi, thanks. I am contacting @snv.


#4

You have to understand that the security team and the foundation are both in India and potentially several time zones out of sync with you. You only joined the Forum a few hours ago, if you reported the issues after that, then India has not had time to start their day yet.

BKM


#5

Hello,

First of all, thank you for reporting security issues to us. Secondly, I do check the reported security issues constantly; and it seems like we need a mechanism to update the reporter with the status, or at least an acknowledgement for reporting the issue and the further actions required for it. We do communicate with the reporter once we’ve identified the issue and its severity – which requires some time and dedication from our end as well.

You can also mail us on support if your think your issue has gone unnoticed, or if the issue could have a higher impact than its being treated for (with, of course, a valid use case for the same). Also, please give us at least a couple of days to identify and analyze the issue before actually following up for an update, because as @bkm said, it could also be that since our timezones might be different, we may not be able to get back to you immediately. Or maybe it’s just taking us a bit longer than usual to analyze the issue; we’ll get back to you sooner or later. I hope you understand.

On another note, if you are a developer and could help us fix such security issues, please do so by creating a pull request on the respective repository. We appreciate the community’s efforts to do so and it helps us a lot.

We at Frappe highly regard our user’s security, and do everything that is possible to improve the user’s experience and safety while using the system. I’ll add a quick notifier that’ll send a mail to the reporter as an acknowledgement about the issue being reported. Once again, thank you for reporting the issue, and also for your valuable feedback. Let me know if there is any clarification you need regarding security issues.

Regards,
Chinmay D. Pai


#6

I guess it would be best practice to report back on this matter here once you either have fixed the issue, or the analysis has turned out not to confirm there is any relevant security problem which needs to be addressed.

I am not saying “hey, what’s that status with this right now”. Just would like to suggest to close this Topic once you have followed up upon this internally @Frappe in one way or another. This would gain trust in the core team in regards to potential security issues being addressed as they should be.


#7

Okay, This is really a slippery slope you are trying to navigate.

While in most other topics on this forum, I tend to agree that we should all try to keep the community informed when solutions are found to issues. In the case of potential of security issues affecting the overall security of installed ERPNext systems, I think I will have to respectfully disagree with you.

There is a reason the security issues reporting has it’s very own page and method of reporting. It is to protect the overall security of the multitude of users that depend on this amazing software to run their critical businesses.

If every time a new security threat were to be identified to the general public, those reports would become the most read topics of nefarious characters that would seek to capitalize on the new found weakness to attack existing customers long before the developers could devise a patch to fix the security hole. This would jeopardize many businesses and would forever tarnish the reputation of ERPNext.

Sometimes just indicating there might be a security hole will be enough for shady actors to start trying to setup attacks to test for the flaws.

Please reconsider what you are asking to have revealed. Would your clients be happy or terrified that you revealed the weakness before it were fixed. Think also about the businesses that for one reason or another cannot upgrade their systems because they have many custom additions that might take even longer to convert to newer versions. Some of them might not ever be able to upgrade. So why reveal a weakness to the general public?

If there were really severe security threats that might affect a supported version, the foundation would be recommending everyone upgrade. Even then they would not likely release the details of the security flaw.

Let this sink in a bit before you pursue identifying security all flaws.

BKM


#8

I agree on what you say. But I think you got me wrong a bit

I was only talking about a case where the existence of a security issue is publicly known. In such a case I (if I where in charge) would report back in all shortness something like … “noted & fixed”. That’ll provide sufficient satisfaction to the ones who have seen that their might be any sort of threat that such a potential threat was taking serious, was analysed, was fixed if needed.


#9

Hi,
simple question, if I am self hosted ERPNext, and security patch get release how I get informed to update my instance? or where I have to check if I am concerned by released patch or not?

Thanks
Nofal


#10

In both cases I hear your concern. At the same time I find it hard to want to even announce the possibility of the existence of new or old flaws.

It becomes even more difficult when we are talking about open source applications like ERPNext. One of the things we all acknowledge when we implement this for commercial use, is that we are responsible for putting the best security practices we can in place to keep client data secure.

I do my best to keep all server patches up to date and require 2 level auth. along with complex passwords. Once in the system GUI, almost everything that takes place from a user perspective is tracked. At that point, data security depends on the practices of the client users.

Paths to access to secure data are hard to imagine without direct access to the underlying server.

While I also understand you want some additional comfort level in your usage of the applications, the disclaimer in the official terms of use imply you are ultimately responsible for security. I am happy that the developers even have a special page and security team to monitor and respond to such reports, but the limited resources they are operating under makes it difficult to have complex reporting structures for such issues.

This is really a question to ask the foundation.

BKM