Reporting security bugs

If you discover a security issue in ivatar, please report it to us privately so that we can push a fix to the main service before disclosing the problem publicly. We will credit you publicly (unless you don't want to) with this discovery.

The best way to do that is to file a security bug on our bug tracker . Make sure you change the bug visibility (see "This issue is confidential and should only be visible to team members with at least Reporter access") and set the 'Security' label.

Alternatively, you can talk to us at security@libravatar.org .
We will do our best to respond to you within 24-48 hours.
Also, please let us know if you are under any kind of publication deadline.

Security Hall of fame

We would like to thank the following people who have helped make ivatar/Libravatar more secure by reporting security issues to us.

• Ahmed Adel Abdelfattah ( @00SystemError00): improvement to mail configuration on libravatar.org and libravatar.com
• Putra Adhari: server-side request forgery in OpenID support
• Ronak Nahar: Spotted and reported open server status from Apache HTTPD.
• Daniel Aleksandersen: Spotted and reported an open redirect vulnerability, as described in CWE-601.
• MR_NETWORK & Farzan ʷᵒⁿᵈᵉʳ: Spotted a problematic use of SECRET_KEY in the production environment. Many thanks for reporting it to us!