Vulnerability Disclosure

We take security very seriously at ODK and we welcome any disclosure of vulnerabilities that helps us ensure the security and privacy of our users.

Scope

You must only test for vulnerabilities against the following targets:

• ODK Central running at production.getodk.cloud and staging.getodk.cloud
• ODK Collect from the Play Store running on your device
• Your computer running code from these repos: ODK, Enketo, or XLSForm

You must make a good faith effort to avoid privacy violations, destruction of data, or degradation of service. You must also refrain from social engineering, phishing, or physical attacks against our staff, users, or infrastructure.

Reporting

Please do not report vulnerabilities on the community forum or on GitHub. Instead, report them to security@getodk.org. We will respond in 3 business days.

Vulnerability reports must include step-by-step details needed to reproduce and validate the vulnerability and a proof of concept.

Fixing vulnerabilities and ensuring users have updated their installs may take time. Please do not share vulnerabilities publicly until it is safe to do so, typically 90 days.

We do not offer monetary rewards for reporting vulnerabilities, but we are happy to give credit in release announcements.

Disclosure

We publish security advisories on GitHub (ODK, Enketo, XLSForm). We also publish information about critical vulnerabilites in the forum under the vulnerability tag.