|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting a Vulnerability |
| 4 | + |
| 5 | +If you discover a security vulnerability, please review these guidelines before submitting a report. We take security seriously and do our best to resolve security issues as quickly as possible. |
| 6 | + |
| 7 | +## Guidelines |
| 8 | + |
| 9 | +While working to identify potential security vulnerabilities, we ask that you: |
| 10 | + |
| 11 | +- Share any issues you discover with us via [Github](https://github.com/craftcms/cms/security/advisories) or [our website](https://craftcms.com/contact) as soon as possible. |
| 12 | +- Give us a reasonable amount of time to address any reported issues before publicizing them. |
| 13 | +- Only report issues that are [in scope](#scope). |
| 14 | +- Provide a quality report with precise explanations and concrete attack scenarios. |
| 15 | +- Make sure you’re aware of the versions of Craft and Commerce that are actively [receiving security fixes](https://craftcms.com/knowledge-base/supported-versions). |
| 16 | + |
| 17 | +## Scope |
| 18 | + |
| 19 | +We are only interested in vulnerabilities that affect Craft or [first party Craft plugins](https://github.com/craftcms), tested against **your own local installation of the software**. You can install a local copy of Craft by following these [installation instructions](https://craftcms.com/docs/installing). Do **not** test against any Craft installation that you don’t own, including [craftcms.com](https://craftcms.com) or [demo.craftcms.com](https://demo.craftcms.com). |
| 20 | + |
| 21 | +### Qualifying Vulnerabilities |
| 22 | + |
| 23 | +- [Cross-Site Scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) |
| 24 | +- [Cross-Site Request Forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) |
| 25 | +- [Arbitrary Code Execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution) |
| 26 | +- [Privilege Escalation](https://en.wikipedia.org/wiki/Privilege_escalation) |
| 27 | +- [SQL Injection](https://en.wikipedia.org/wiki/SQL_injection) |
| 28 | +- [Session Hijacking](https://en.wikipedia.org/wiki/Session_hijacking) |
| 29 | + |
| 30 | +### Non-Qualifying Vulnerabilities |
| 31 | + |
| 32 | +- Reports from automated tools or scanners |
| 33 | +- Theoretical attacks without proof of exploitability |
| 34 | +- Attacks that can be guarded against by following our [security recommendations](https://craftcms.com/guides/securing-craft). |
| 35 | +- Server configuration issues outside of Craft’s control |
| 36 | +- [Denial of Service](https://en.wikipedia.org/wiki/Denial-of-service_attack) attacks |
| 37 | +- [Brute force attacks](https://en.wikipedia.org/wiki/Brute-force_attack) (e.g. on password or token hashes) |
| 38 | +- Username or email address enumeration |
| 39 | +- Social engineering of Pixel & Tonic staff or users of Craft installations |
| 40 | +- Physical attacks against Craft installations |
| 41 | +- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (e.g. [man-in-the-middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)) |
| 42 | +- Attacks that are the result of a third party Craft plugin should be reported to the plugin’s author |
| 43 | +- Attacks that are the result of a third party library should be reported to the library maintainers |
| 44 | +- Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves) |
| 45 | +- Disclosure of tools or libraries used by Craft and/or their versions |
| 46 | +- Issues that are the result of a user clearly ignoring common security best practices (like sharing their password publicly) |
| 47 | +- Missing security headers which do not lead directly to a vulnerability via proof of concept |
| 48 | +- Vulnerabilities affecting users of outdated/unsupported browsers or platforms |
| 49 | +- Vulnerabilities affecting outdated versions of Craft |
| 50 | +- Any behavior that is clearly documented |
| 51 | +- Issues discovered while scanning a site you don’t own without permission |
| 52 | +- Missing CSRF tokens on forms (unless you have a proof of concept, many forms either don’t need CSRF or are mitigated in other ways) and “logout” CSRF attacks |
| 53 | +- [Open redirects](https://www.owasp.org/index.php/open_redirect) |
| 54 | + |
| 55 | +## Bounties |
| 56 | + |
| 57 | +To show our appreciation for the work it can take to find and report a vulnerability, we’re happy to offer researchers a monetary reward. |
| 58 | + |
| 59 | +Reward amounts vary depending upon the severity. Our minimum reward for a qualifying vulnerability report is $50 USD and we expect to pay $500+ USD for major vulnerabilities. |
| 60 | + |
| 61 | +A report will qualify for a bounty if: |
| 62 | + |
| 63 | +- Our [Guidelines](#guidelines) have been followed in full. |
| 64 | +- The vulnerability was previously unknown to us, or your report provides more information or shows the vulnerability to be more extensive than we originally thought. |
| 65 | +- The vulnerability is non-trivial. |
0 commit comments