Scope

This policy covers all versions of EPPlus currently within the support period, including vulnerabilities in EPPlus's own code and in third-party dependencies distributed as part of the product. A version is considered supported if it is listed on the Supported Versions page at the time the report is submitted.

How to Report a Vulnerability

Please do not report security vulnerabilities through the public issue tracker or other public channels.

When reporting, please include as much of the following as possible:

• A description of the vulnerability
• Steps to reproduce the issue
• Affected EPPlus version(s) and target framework(s)
• Any proof of concept or sample files
• Suggested mitigation or fix, if available

What to Expect

1. Acknowledgement. We will acknowledge receipt of your report within 2 business days.
2. Triage. We will assess the reported vulnerability for validity, severity (using CVSS as a reference), and exploitability in the context of EPPlus.
3. Coordination. We will work with you to agree on a disclosure timeline. Our default disclosure window is 90 days from the initial report, subject to adjustment by mutual agreement. In cases of active exploitation or severe risk to users, we may disclose earlier to protect users, even if a fix is not yet available.
4. Remediation. We will develop a fix and prepare a security update for all affected supported versions.
5. Disclosure. Upon release of the fix, we will publish a security advisory on our Vulnerability Disclosures page, including affected versions, our risk assessment, and recommended action. EPPlus Software AB will request a CVE identifier where applicable, unless one has already been assigned by the reporter or a CNA.

Safe Harbor

EPPlus Software AB will not pursue legal action against individuals who discover and report security vulnerabilities in good faith and in accordance with this policy. We consider security research conducted under this policy to be authorized and will not initiate legal action for accidental policy violations made in a genuine effort to follow this policy.

We ask that you:

• Act in good faith and avoid privacy violations, data destruction, and disruption of our services
• Do not publicly disclose vulnerability details before a fix is available
• Allow us reasonable time to address the issue before any public disclosure

Vulnerability Handling for Dependencies

EPPlus includes third-party NuGet packages as dependencies. When a vulnerability is identified in a dependency:

1. We assess whether the vulnerability is exploitable through EPPlus's API and usage of the dependency.
2. If exploitable: we update the dependency and release a security patch.
3. If not exploitable in the EPPlus context: we document this assessment on our Vulnerability Disclosures page and update the dependency in the next scheduled release.
4. If an upstream fix is not yet available: we document the status, any available workarounds, and monitor for an upstream fix.

All dependency vulnerabilities and their assessments are published on our Vulnerability Disclosures page.

Security Updates

Security updates are released as new versions on our public NuGet feed. Security updates are provided free of charge to all users during the published security support period, regardless of license status.

Regulatory Reporting

For actively exploited vulnerabilities, EPPlus Software AB reports to the designated CSIRT (CERT-SE) and ENISA in accordance with Regulation (EU) 2024/2847, Article 14.