Report a draw.io vulnerability on huntr.dev
draw.io has registered its draw.io application repositories (jgraph/drawio and jgraph/drawio-desktop) on huntr.dev. This service is used by security researchers and developers to report security vulnerabilities in any GitHub repository, and receive a bug-bounty for their report.
- Authorise huntr.dev to access your GitHub account, if you haven’t already done so - click on Login in the top right of the page, and follow the prompts to authorise access.
- View the jgraph/drawio or the jgraph/drawio-desktop listing.
- Click on the Submit report link - below and to the right of the listing - and fill in the report form with as much detail as you can.
Note: Reporting the same bug in both repositories will mark one as a duplicate.
We will review and validate your report if the bug is indeed a security risk. You’ll receive a notification via email on validation and confirmation of a bug-fix once it is released.
At this point, huntr.dev will calculate the CVE bounty - based on the severity of the valid and fixed security vulnerability - then release the bounty to you as per their payment terms.