Please do not report security vulnerabilities through public GitHub issues, pull requests, discussions, Discord, or the forum.

If the affected repository has private vulnerability reporting enabled, use that repository's Security tab and select Report a vulnerability. If you are unsure where to report the issue, or the affected repository does not provide private reporting, use the main FOSSBilling advisory form:

https://github.com/FOSSBilling/FOSSBilling/security/advisories/new

Existing public advisories for the main FOSSBilling application are available here:

https://github.com/FOSSBilling/FOSSBilling/security/advisories

If your report is a bug, support request, or feature suggestion that is not related to a security vulnerability, please open a normal issue in the relevant repository instead.

A useful vulnerability report should include:

• The affected repository, package, module, file, endpoint, workflow, or documentation page.
• The affected version, branch, commit, package version, or URL.
• A clear description of the vulnerability and the required preconditions.
• Step-by-step reproduction instructions.
• A proof of concept, screenshots, logs, or request/response examples when available.
• The expected impact, including confidentiality, integrity, availability, privilege escalation, or data exposure concerns.
• Any suggested mitigation or fix.

Please remove unrelated secrets, tokens, passwords, private customer data, and personal data from reports and examples.

The FOSSBilling team may close or reject reports that do not demonstrate a realistic security impact, including:

• Automated scanner output without analysis or a reproducible impact.
• Theoretical issues without a practical attack path.
• Vulnerabilities that only affect an unsupported, end-of-life, or heavily modified installation.
• Issues caused by a third-party dependency that should be reported to that dependency's maintainers.
• Social engineering, phishing, or physical attacks.
• Weak TLS, SSL, SSH, DNS, or server configuration outside FOSSBilling's control.
• Attacks requiring physical access to a user's device or a device/network that is already seriously compromised.
• Self-targeted attacks with no impact on other users, tenants, administrators, or systems.
• Findings limited to test code, fixtures, or intentionally insecure development-only examples.

After receiving a report, maintainers will review the issue, ask for additional details if needed, and coordinate a fix and advisory when appropriate. Please give the team reasonable time to investigate before disclosing details publicly.

AI tools can be useful during security research, but the reporter is responsible for validating the finding. Reports generated by AI or automated tools without human verification, a clear attack path, and reproducible impact are not useful and may be rejected.