You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/security/responsible-disclosure.mdx
+11-9Lines changed: 11 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,15 +33,17 @@ Please note that we **currently do not operate a formal bug bounty program** wit
33
33
34
34
We appreciate the efforts of security researchers who help keep Langfuse secure. The following individuals have responsibly disclosed vulnerabilities that led to improvements:
|[Ather Iqbal](https://linkedin.com/in/atheriqbalhacker)|[#4434](https://github.com/langfuse/langfuse/pull/4434)| Password complexity + block links in user name |
39
-
|[Milan Jain](https://linkedin.com/in/milan-jain-scriptkiddie-50a738213)|[#6703](https://github.com/langfuse/langfuse/pull/6703)| Hyperlink injection in organization invite email |
40
-
|[pyozzi](https://www.linkedin.com/in/sang-yeong-pyo-0411a6207)|[#8821](https://github.com/langfuse/langfuse/pull/8821)| SSRF vulnerability in webhooks |
|[Carsten Csiky](https://github.com/csicar/)|[#10223](https://github.com/langfuse/langfuse/pull/10223)| Do not expose resolved but blocked IPs in user facing error messages. |
43
-
|[Team-DisclosureX Cybrgen](https://linkedin.com/company/cybrgen-limited/), [J Sonali](https://www.linkedin.com/in/j-sonali)|[#10136](https://github.com/langfuse/langfuse/pull/10136), [CVE-2025-64504](https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69)| Cross‑organization enumeration of member & invitation lists via project membership APIs |
44
-
| [David Bors at Snyk Security Labs](https://www.linkedin.com/in/davidxbors/) | [#10426](https://github.com/langfuse/langfuse/pull/10426), [GHSA-w9pw-c549-5m6w](https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w) | SSO Account Takeover via CSRF or phishing attack
|[Ather Iqbal](https://linkedin.com/in/atheriqbalhacker)|[#4434](https://github.com/langfuse/langfuse/pull/4434)| Password complexity + block links in user name |
39
+
|[Milan Jain](https://linkedin.com/in/milan-jain-scriptkiddie-50a738213)|[#6703](https://github.com/langfuse/langfuse/pull/6703)| Hyperlink injection in organization invite email |
40
+
|[pyozzi](https://www.linkedin.com/in/sang-yeong-pyo-0411a6207)|[#8821](https://github.com/langfuse/langfuse/pull/8821)| SSRF vulnerability in webhooks |
|[Carsten Csiky](https://github.com/csicar/)|[#10223](https://github.com/langfuse/langfuse/pull/10223)| Do not expose resolved but blocked IPs in user facing error messages. |
43
+
|[Team-DisclosureX Cybrgen](https://linkedin.com/company/cybrgen-limited/), [J Sonali](https://www.linkedin.com/in/j-sonali)|[#10136](https://github.com/langfuse/langfuse/pull/10136), [CVE-2025-64504](https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69)| Cross‑organization enumeration of member & invitation lists via project membership APIs |
44
+
|[David Bors at Snyk Security Labs](https://www.linkedin.com/in/davidxbors/)|[#10426](https://github.com/langfuse/langfuse/pull/10426), [GHSA-w9pw-c549-5m6w](https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w)| SSO Account Takeover via CSRF or phishing attack |
45
+
|[Sankalp Tripathi](https://linkedin.com/in/sankalp-tripathi-9bbb982b9)|[#10603](https://github.com/langfuse/langfuse/pull/10603)| Hyperlink injection in welcome email |
46
+
45
47
## Contact
46
48
47
49
For all security-related inquiries, including vulnerability disclosures, please contact [email protected].
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?v=4&size=40){kind=avatar}
0 commit comments