Security is very important to the BulkOps app and its users and we're committed to responsible reporting of security-related issues. Please help to report any security issues with this app. See below for more details
We regularly scan our code for any potential security vulnerability and we check all dependencies for any impact on vulnerability before committing such changes to the release version. We use several tools to perform such scans such as Codacy and Snyk.io to monitor for any potential security vulnerability and provide mitigation measures where necessary. We regularly scan our code base to ensure best practices in writing code and mitigating any known threats relating to the use of certain code structures.
For cloud-based users, there's no interaction or storage of end-user data. Any information supplied to the app is processed immediately and discarded and no end-user data is stored. Access to log data is restricted to the author of the app and all that information is confidential.
We run automated and user-based tests for any update and upgrade that is done on the app, we use apps such as Travis-ci to perform automated tests when updates are done. We check for vulnerabilities within dependencies to know and understand if they impact the app in any way or form. If there are impacts, we provide mitigation steps to remedy the issue.
For cloud-based users, daily backup of the database is done in privately encrypted servers. This database is used to store log data used in the audit log feature and user-provided data during sign-up. This database does not store any end-user data or any uploaded file data.
We appreciate all efforts taken to keep this app safe for use and we encourage the report of such vulnerability if found. However, the BulkOps app is an open-source project and does not run any bug bounty programs
The process we've adopted to take security issues from private to public involves multiple steps. Approximately one week before public disclosure we provide a security advisory, so it is important to watch our repository for those users who have local installations. For the cloud users, we'll typically perform an update automatically with the fix to the vulnerability as soon as possible once, we've detected it.
| High | Medium | Low |
|---|---|---|
| Remote code execution | Broken authentication | Data exposure |
| SQL injection | Cross-site scripting (XSS) | Unvalidated redirects |
| Cross-site request forgery (CSRF) |
On the day of disclosure, the following steps will be taken:
- Apply the relevant patch(es) to the BulkOps app code base.
- Issue the relevant release in the BOP git repository.
- Create a security advisory describing the issue and its resolution. We'll also credit the author (if they want to be mentioned publicly)
The below release version is supported. We encourage you to update to the latest version of BulkOps app if you're using a local install. For the cloud version, this is updated frequently after testing and security validation of the dependencies have been completed.
| Version | Supported |
|---|---|
| v4.3.0 | ✅ |
| v4.2.9 | ✅ |
| v4.2.8 | ✅ |
| v4.2.7 | ❌ |
| v4.2.6 | ❌ |
| v4.2.5 | ❌ |
| v4.2.4 | ❌ |
| v4.2.3 | ❌ |
| v4.2.2 | ❌ |
| v4.2.1 | ❌ |
| v4.2.0 | ❌ |
| v4.1.7 | ❌ |
| v4.1.6 | ❌ |
| v4.1.5 | ❌ |
| v4.1.4 | ❌ |
| v4.1.3 | ❌ |
| v4.1.2 | ❌ |
| v4.1.1 | ❌ |
| v4.1.0 | ❌ |
| v4.0.9 | ❌ |
| v4.0.8 | ❌ |
| v4.0.7 | ❌ |
| v4.0.6 | ❌ |
| v4.0.5 | ❌ |
| v4.0.4 | ❌ |
| v4.0.3 | ❌ |
| v4.0.2 | ❌ |
| v4.0.1 | ❌ |
| v4.0.0 | ❌ |
| v3.8.7 | ❌ |
| v3.8.6 | ❌ |
| v3.8.5 | ❌ |
| v3.5.7 | ❌ |
| v3.5.6 | ❌ |
| v3.5.5 | ❌ |
| v3.5.2 | ❌ |
| v3.0.0 | ❌ |
| v2.0.8 | ❌ |
| v2.0.7 | ❌ |
| v2.0.6 | ❌ |
| v2.0.5 | ❌ |
| v2.0.4 | ❌ |
| v2.0.3 | ❌ |
| v2.0.2 | ❌ |
| v2.0.1 | ❌ |
| v2.0.0 | ❌ |
| v1.2.5 | ❌ |
| v1.2.4 | ❌ |
| v1.2.3 | ❌ |
| v1.2.2 | ❌ |
| v1.2.1 | ❌ |
| v1.2 | ❌ |
| v1.1 | ❌ |
| v1.0 | ❌ |
For any bugs or vulnerabilities please raise a Support ticket. Please try to be explicit as possible, stating all the steps taken and the reproduction of the security issue. If you believe you've found a vulnerability within BulkOps app that has a security impact, please send us an email to support[at]elfapp.website, indicating the vulnerability and describing the problem with steps of reproduction and we request not to publicly disclose the issue until it has been addressed by us.
- Once you've raised a ticket or sent an email, we will look into the issue within 48 hours and get back to you.
- We will follow up if and when we have confirmed the issue with a timeline for a fix.
- We will create a Github advisory of the issue and publish it when a fix has been implemented and deployed within the repository.
- We will keep you informed when the fix has been applied.