Security

Have you found a security related bug on SourceForge? Please review this document and let us know. We greatly appreciate security communities and those who disclose problems to us quickly so that we can take action. We provide public thanks and acknowledgement for verified reports.

Useful Information

We cover security vulnerabilities for SourceForge provided services, for example, pages on the https://sourceforge.net website, the Shell service, and File Release System downloads, etc.

When sending in a report, whenever possible, please provide as much information as necessary to reproduce the issue. For example, the URL where the vulnerability is located, the input required, screenshots, web browser and operating systems tested, etc. Accurate information will help us track down and expedite resolving the issue.

Download Mirrors

If you believe there is evidence that file hosting may be compromised, please be sure to indicate the exact files you downloaded, and the mirror you downloaded from. It is also helpful if you can check the file hashes of the downloaded files compared to what we report as the correct hash.

Subdomains

Subdomains of sourceforge.io and sourceforge.net are used for project web hosting. We provide the hosting platform, but individual projects are responsible for the security of what they run there. For example, an XSS vulnerability at example.sourceforge.net should be reported to the admins listed at sourceforge.net/projects/example/ However, if you find abuse, or security issues with system services please do contact us directly.

Contacting SourceForge with Security Vulnerabilities

If you've verified a vulnerability, please contact us as soon as possible by emailing security@sourceforge.net with full details and information on how to reproduce the issue.

You may PGP encrypt messages to key 80F0E373 (1E90 FD05 9A03 EDC1 4E36 0CD6 0D0F 051B 80F0 E373)

Public Thanks and Acknowledgement

Once the bug has been fixed, we can provide public thanks and acknowledgement on this page:

* Vulnerability reported by several independent researchers