Skip to content

Security: octobercms/.github

Security

SECURITY.md

October CMS Security Policy

PLEASE DO NOT DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, SEE BELOW.

Reporting a Vulnerability

If you discover a security vulnerability, please follow these guidelines before submitting a report. We take security seriously and aim to resolve security issues promptly.

Guidelines

When identifying potential security vulnerabilities, kindly adhere to the following:

  • Share in private any discovered issues with us via our website as soon as possible
  • Allow us reasonable time to address and release fixes for reported issues before making them public, preferably 90 days
  • Provide a well-detailed report with precise explanations and practical attack scenarios
  • Only report issues that fall within the scope defined below

Scope

We are interested in vulnerabilities that affect October CMS or first-party October CMS plugins, tested on locally installed software running the latest version. You can install a local copy of October CMS by following these installation instructions. Please do not test against any October CMS installation you do not own, including our website.

Vulnerabilities To Report

We are interested in the following as vulnerabilities:

We may not accept the following as vulnerabilities:

  • Bugs relying on unlikely user interactions (i.e. the user attacking themselves)
  • Reports generated by automated tools or scanners
  • Theoretical attacks without proof of exploitability
  • Attacks preventable by following our security recommendations
  • Server configuration issues outside of our control
  • Username or email address enumeration
  • Issues resulting from users disregarding common security best practices (e.g. publicly sharing a password)
  • Vulnerabilities affecting users of outdated / unsupported browsers or platforms
  • Vulnerabilities affecting outdated versions of October CMS

Third-party Software

If you find vulnerabilities or attacks resulting from third-party October CMS plugins or themes, they should be reported to the author directly. If the author does not respond, please contact us to escalate the issue. Attacks resulting from third-party libraries should be reported to the library maintainers. Attacks caused by malicious code (malware) should be reported directly to us.

There aren’t any published security advisories