Report a Vulnerability

If you find a bug that does not expose a security vulnerability, please report it in our public issue tracker at https://todo.sr.ht/~arx10/procustodibus. See the File a Bug page for details.

If, however, you find something that does look like it could be a security vulnerability, please follow this process:

Reporting Process

To report a security issue concerning Pro Custodibus, send an email to security@arcemtene.com. If it contains sensitive information, encrypt it with these PGP keys:

https://www.arcemtene.com/keys/justin.asc
(key ID: AFE4212AA8883A14, fingerprint: 0AE0 4796 80DA 63C7 8C5B 3A29 AFE4 212A A888 3A14)

We would appreciate if you include the following in your report (if applicable):

Description, location (ie website URL, file paths, etc), and potential impact.
Steps required to reproduce (or proof-of-concept script).
Details of any tools used (including exact version numbers and platform info).
Tool or script output.

We take all reports seriously, and will respond to you within 24 hours. We expect to address most serious issues within a few days, but in some cases may ask that you delay publicly disclosing an issue for longer than that (but no longer than 1 month). If we ask for a delay, we will keep you updated on our progress every few days, and let you know as soon as it has been addressed.