First of all, thank you for taking time to read this. We believe, you're considering sharing what could be a security issue that might affect every installation running NexoPOS 4.x. We believe in the power of open-source and contributions of it's adherants, that's why regardless of whether your report is proven or not, it's welcome.
Basically, everything that could be a leak, that makes the system's (NexoPOS) security inefficient, anything that can expose the server (files & database) or that makes the system to be used in a manner that is out of the purpose we're aiming. It can be sensitive information that are accessible without any permission restriction or any error thrown, that might expose the database structure. To ease a quick fix of those major concern, bugs (something that doesn't works as it should) aren't included on this, unless that bug expose the system.
Security vulnerabilities should be reported responsibily. We, the developers, should have enough time to either answer to the report and to provide a fix to it. According to the disponibilty and the complexity of the concern, we might not give an exact hint on when those will be resolved, but as must as possible, we rather don't want those to be disclosed publicly as a vulnerability, unless we haven't taken any action during a long period (6 months), so that anyone on the community might be aware of those and then either chose to fix or to take any relevant action.
The concern should priorily be reported to [email protected]
. We'll usually reply once we receive a report and we'll also share either the commit or the version to test the most recent version with the fix.
If we haven't said that yet, we're really thankful for your consideration. Reporting this shows how much you care about our effort and would like to bring your contribution and that's really appreciated.
Kind Regards.
Blair.