The current release is the only supported version and shouldn't have any security bugs. However if you find a security issue in an older release feel free to also report this in case of regression.
It's important that to know about past mistakes to help avoid repetition in the future.
Reporting a Vulnerability
Reporting a vulnerability is best done by emailing firstname.lastname@example.org. You can also message an administrator directly on the CyberDrain Discord. The administrators involve all relevant contributors in discussing the issue in private and addressing it if appropriate. Your cooperation in reporting security issues in this way assists in making any fix available as soon as possible without endangering other users of the product.
The project publicly posts security reports after resolution, including all communications. If you would rather have only the bug report public, please include this fact when making the report.
Notifications and Security Advisories
Security notification reporting is via the GitHub notification and advisory system. Sponsors with hosted instances receive a notification directly.
Bounties and Rewards
This project is an open-source sponsor-ware effort, which makes it hard to create a monetary reward without breaking the bank.
For critical security bugs, involving things like remote code execution or API data leaks, the project aims to offer a 50 dollar reward. For other bugs, the project may reward with some swag such as an official CyberDrain t-shirt or hoodie.
Please see the Vulnerability Disclosure Policy for more information on how to investigate vulnerabilities and associated commitments and expectations.