Security procedure

If you come across a vulnerability in Fat Free CRM, we ask that you follow the guidelines below to responsibly disclose and help us patch the system.

Responsible disclosure

Please report issues to security@fatfreecrm.com. We will work with you to understand the issue and how we can fix it. You’re welcome to help us provide a security patch, if you feel you are able.

Please do not disclose the issue publicly until it has been resolved and released. We’re more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.

Security advisories

When security advisories are released by the Fat Free CRM team, they will be announced on the Fat Free CRM users google group. If you wish to receive security announcements, you should subscribe to that group.

Previous security announcements

  • Fixing-security-vulnerabilities-(27th-Dec-2013)
  • Fixing-security-vulnerabilities-(7th-Jan-2014)
  • XSS-vulnerability-(26th-August-2014)
  • XSS-vulnerabilities-(4th-Sept-2014)
  • CSRF-Vulnerability-(CVE-2015-1585)