If you discover a security vulnerability in FreeFile ITR, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please use GitHub Security Advisories to report the issue privately.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment: Within 48 hours
- Assessment: Within 1 week
- Fix: Depends on severity, but we aim for critical issues within 2 weeks
Security issues we care about:
- Data leakage (financial data leaving the device unintentionally)
- Injection vulnerabilities (SQL injection, command injection, XSS)
- Authentication bypass in filing automation
- Dependency vulnerabilities with known exploits
- Insecure data storage
- Issues requiring physical access to the device
- Social engineering attacks
- Denial of service on the local app
- Issues in third-party dependencies without a known exploit
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | Best effort |
We follow coordinated disclosure. Once a fix is released, we will credit the reporter (unless they prefer to remain anonymous) and publish a security advisory.