Have you found a security related bug on SourceForge? Please review this document and let us know. We greatly appreciate security communities and those who disclose problems to us quickly so that we can take action. We provide public thanks and acknowledgement for verified reports.
When sending in a report, whenever possible, please provide as much information as necessary to reproduce the issue. For example, the URL where the vulnerability is located, the input required, screenshots, web browser and operating systems tested, etc. Accurate information will help us track down and expedite resolving the issue.
If you believe there is evidence that file hosting may be compromised, please be sure to indicate the exact files you downloaded, and the mirror you downloaded from. It is also helpful if you can check the file hashes of the downloaded files compared to what we report as the correct hash.
Subdomains of sourceforge.io and sourceforge.net are used for project web hosting. We provide the hosting platform, but individual projects are responsible for the security of what they run there. For example, an XSS vulnerability at
example.sourceforge.net should be reported to the admins listed at
sourceforge.net/projects/example/ However, if you find abuse, or security issues with system services please do contact us directly.
If you've verified a vulnerability, please contact us as soon as possible by emailing email@example.com with full details and information on how to reproduce the issue.
You may PGP encrypt messages to key 80F0E373 (1E90 FD05 9A03 EDC1 4E36 0CD6 0D0F 051B 80F0 E373)
Once the bug has been fixed, we can provide public thanks and acknowledgement on this page:
* Vulnerability reported by several independent researchers