joplin/SECURITY.md

# Security Policy

## Supported Versions

Only the latest version is supported with security updates.

## Reporting a Vulnerability

Please [contact support](https://raw.githubusercontent.com/laurent22/joplin/dev/Assets/AdresseSupport.png) **with a proof of concept** that shows the security vulnerability. Please do not contact us without this proof of concept, as we cannot fix anything without this.

For general opinions on what makes an app more or less secure, please use the forum.

## Areas outside Joplin's Threat Model

Note: we're mostly linking to Chrome's documentation since our reasoning for these exclusions is the same.

### Denial of Service (DoS)

[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#are-denial-of-service-issues-considered-security-bugs)

### Physically-local attacks

[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)

### Compromised/infected machines

[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-compromised_infected-machines-in-chromes-threat-model)

### Is opening a file on the local machine a security vulnerability?

No - users are allowed to link to files on their local computer. This was a feature that was implemented by popular request. There are measures in place to mitigate security risks such as a dialog to confirm whether a file with an unknown file extension should be opened.

### Is DLL sideloading a security vulnerability?

No. This is an Electron issue and not one they will fix: https://github.com/electron/electron/issues/28384

See also [Physically-local attacks](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)

### Is local data not being encrypted a security vulnerability?

No, but you should use disk encryption. See also [Physically-local attacks](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)

## Bounty

We **do not** offer a bounty for discovering vulnerabilities, please do not ask. We can however credit you and link to your website in the changelog and release announcement.
Create SECURITY.md 2019-09-25 16:28:34 +01:00			`# Security Policy`

			`## Supported Versions`

			`Only the latest version is supported with security updates.`

			`## Reporting a Vulnerability`

Doc: Changed GitHub links from master to dev 2020-10-11 16:17:51 +01:00			`Please [contact support](https://raw.githubusercontent.com/laurent22/joplin/dev/Assets/AdresseSupport.png) with a proof of concept that shows the security vulnerability. Please do not contact us without this proof of concept, as we cannot fix anything without this.`
Create SECURITY.md 2019-09-25 16:28:34 +01:00
			`For general opinions on what makes an app more or less secure, please use the forum.`
Doc: Mention that we do not offer bounties 2022-09-20 12:15:13 +03:00
Doc: Add "Area outside of Joplin's Threat Model" to Security.md 2025-02-13 09:55:10 +00:00			`## Areas outside Joplin's Threat Model`

			`Note: we're mostly linking to Chrome's documentation since our reasoning for these exclusions is the same.`

			`### Denial of Service (DoS)`

			`[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#are-denial-of-service-issues-considered-security-bugs)`

			`### Physically-local attacks`

			`[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)`

			`### Compromised/infected machines`

			`[Reference](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-compromised_infected-machines-in-chromes-threat-model)`

			`### Is opening a file on the local machine a security vulnerability?`

			`No - users are allowed to link to files on their local computer. This was a feature that was implemented by popular request. There are measures in place to mitigate security risks such as a dialog to confirm whether a file with an unknown file extension should be opened.`

			`### Is DLL sideloading a security vulnerability?`

			`No. This is an Electron issue and not one they will fix: https://github.com/electron/electron/issues/28384`

			`See also [Physically-local attacks](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)`

			`### Is local data not being encrypted a security vulnerability?`

			`No, but you should use disk encryption. See also [Physically-local attacks](https://chromium.googlesource.com/chromium/src.git/+/master/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)`

Doc: Mention that we do not offer bounties 2022-09-20 12:15:13 +03:00			`## Bounty`

			`We do not offer a bounty for discovering vulnerabilities, please do not ask. We can however credit you and link to your website in the changelog and release announcement.`