2.3 KiB
Security Policy
Supported Versions
Only the latest version is supported with security updates.
Reporting a Vulnerability
Please contact support with a proof of concept that shows the security vulnerability. Please do not contact us without this proof of concept, as we cannot fix anything without this.
For general opinions on what makes an app more or less secure, please use the forum.
Areas outside Joplin's Threat Model
Note: we're mostly linking to Chrome's documentation since our reasoning for these exclusions is the same.
Denial of Service (DoS)
Physically-local attacks
Compromised/infected machines
Is opening a file on the local machine a security vulnerability?
No - users are allowed to link to files on their local computer. This was a feature that was implemented by popular request. There are measures in place to mitigate security risks such as a dialog to confirm whether a file with an unknown file extension should be opened.
Is DLL sideloading a security vulnerability?
No. This is an Electron issue and not one they will fix: https://github.com/electron/electron/issues/28384
See also Physically-local attacks
Is local data not being encrypted a security vulnerability?
No, but you should use disk encryption. See also Physically-local attacks
Bounty
We do not offer a bounty for discovering vulnerabilities, please do not ask. We can however credit you and link to your website in the changelog and release announcement.