If you discover a security vulnerability in Autopsy, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
You can report vulnerabilities through either of the following:
- GitHub Private Vulnerability Reporting: Use the "Report a vulnerability" button on the Security tab of this repository.
- Email: security@sleuthkit.org
Please include the following in your report:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact or attack scenario
- Any suggested fixes or mitigations (optional)
- Acknowledgment: We will acknowledge receipt of your report within 5 business days.
- Updates: We will provide status updates as we investigate and work toward a fix.
- Disclosure: We ask that you give us reasonable time to address the vulnerability before public disclosure. We will coordinate a disclosure timeline with you.
This policy covers security vulnerabilities in Autopsy:
This policy does not cover vulnerabilities in third-party dependencies or plugins. Please report those to the respective project maintainers.
We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Researchers who responsibly report valid security issues will be credited in the release notes unless they prefer to remain anonymous.