Security

Our commitment

SeqDesk is open-source software developed at the Helmholtz Centre for Infection Research (HZI). Even though every SeqDesk instance is self-hosted by the institution that runs it, we take security reports seriously. A vulnerability in the software can affect every deployment. We review reports promptly, keep them confidential while a fix is prepared, and aim to respond quickly.

This page complements the Helmholtz Centre for Infection Research’s institution-wide Vulnerability Disclosure Policy. For vulnerabilities in the SeqDesk software specifically, the GitHub channel below is the fastest route to the maintainers.

Reporting a vulnerability

Please report suspected security vulnerabilities privately through GitHub’s private vulnerability reporting rather than opening a public issue. This keeps the details confidential until a fix is available and gives us a private channel to coordinate with you.

Report a vulnerability on GitHub

You can also reach the form from the Security tab of the repository by choosing “Report a vulnerability”. A GitHub account is required.

What to include

To help us assess and reproduce the issue quickly, please include the affected SeqDesk version, a description of the vulnerability and its potential impact, and step-by-step instructions to reproduce it. Proof-of-concept details are welcome.

What to expect

We aim to acknowledge new reports within a few business days and will keep you informed as we investigate. Where a fix is warranted, we work toward a coordinated disclosure: we prepare and ship a fix, publish a security advisory, and credit you for the discovery unless you prefer to remain anonymous.

Self-hosted deployments

SeqDesk is installed and operated on each institution’s own infrastructure, so the security and configuration of a given instance is the operator’s responsibility. See the disclaimer for operator guidance. Fixes for vulnerabilities in the software itself are shipped through regular releases, so keeping your installation up to date is the best way to stay protected.

Please avoid

Please do not disclose vulnerability details in public GitHub issues, pull requests, or discussions before a fix has been released, and do not test against SeqDesk instances you do not own or operate without the operator’s explicit permission.

Other contact

If you are unable to use GitHub, or the matter is particularly sensitive, you can email pmu15@helmholtz-hzi.de.