Yes, a security or a functional bug is exactly the same for us - a functionality that does something on the software or its data that is not documented. Every year eramba gets installed thousands of times and is used by many people around the world, in particular security people, so we do receive every month some sort of report. Is a perfectly normal operational task for a software used by many people.
We work on certain types of bugs and under certain conditions:
The bug you found must actually cause proven damage, is not enough to talk about "potential" damage, it must be proven that one of the following happens:
- You were able to access to the system or specific functionalities (with write or read permissions) bypassing authentication and authorization controls
- You are able to affect the data integrity of the software
- You are able to make the system unavailable to users
Then we need to know how you got there, for that we need some sort of report or email that includes:
- Describe which of the three issues above are of concern
- If the exploit requires an authenticated and authorized account
- A STEP BY STEP procedure we can repeat that leads to the bug. This is fundamental, step by step what actions, payloads, response headers, scripts, etc you used to exploit the system
- The version of eramba you are using. Ideally you should be using the latest community or enterprise release.
You can find a real life example of a report here
. We do not care the file you use (rtf, doc, txt, etc) so as long is clear. Please email reports to firstname.lastname@example.org and we'll assist. It typically requires many back and forward messages to understand the issue, in particular if its complicated. If the exploit is reproduced by us we'll fix it and work with you in order to publish CVEs, forum posts, Etc.
IMPORTANT: The information above is impossible to provide without deep technical skills, screenshots or videos. Do not send automated scanner reports as those are of no use to us, they do not provide any of the above mentioned requirements