Scope

We track here:

• Core ImpressCMS issues for ImpressCMS 1.4.x (the current production version) and 2.0 (in development)

• addon issues

• impresscms.org community site issues

Rewards

• We can not promise swag or absolute resolution on a fixed timeline for every issue, but we're eager to hear about what you've found regardless.

• Each fixed vulnerability will be mentioned in the release notes of a new version, along with the name of the person who notified us, as well as in the release announcement on our website.

• We've got lots of honor for those who submit issues related to the core software, but no cash bounties.

• We are in the process of working out a swag policy

Testing arrangements

• PLEASE test on your own copy. We're open source, so grab a copy from our site and install it locally.

• Beating on impresscms.org or some other public site will not be well received.

• If you find unclear, incorrect or missing documentation, don't hesitate to let us know via the forums or our Slack channel

• Be clear. We totally get that you're not paid to do this. (Coincidence: neither are we :-) ) You spent the time finding the issue, please do the effort of an extra 2 minutes to spell out what you're able to do with it so we totally understand the severity of our screw up. ;) In our life's experience : if there is a some uncertainty about a report, be aware that Murphy will make sure that we understand it the wrong way.

• Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the same. Report issues directly to us here.

• Addon's and Themes for ImpressCMS can be reported here, we will make every effort to forward information to the the author of the code. In cases where there is an 'open door' security issue we may get involved in issuing a fix ourselves. Please keep in mind that there are many add-ons and themes for ImpressCMS that we didn't write, we will do the best we can to keep communication open and release schedules of your vulnerability reports clear.

• 3rd Party Stuff. We use jQuery, jQuery UI, TinyMCE, Smarty 2, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if they lead to severe/critical issues (below)

Levels of Severity

• Open Door - A clear method where someone can immediately gain any type of unintended administrative access through a bug in the system. This would put a website at risk from an external attacker or a disgruntled editor with limited permissions. It is a clear documented attack that always grants access to someone who should not have it. This type of exploit would be considered a top priority and would likely force an immediate point release of the core to resolve.

• External Attack Vector - A bug that an external attacker might use in conjunction with other techniques to gain access or get data. No administrative access is required to exploit the bug. The bug does not provide access on its own. It would have to be part of a larger attack, often involving some social engineering. These are considered a high priority and are typically patched immediately by the core team in github and launched in the next version of the core.

• Internal Attack Vector - A bug that requires someone already have some type of administrative access to the CMS. This might just change the experience of the CMS, or be part of a more complicated attack that might hypothetically gain more access than they should have. These are considered important to clean up over time.

Response

• We will try to respond to most reports within 5 business days.

• Issues will be fixed within a reasonable timeline as determined after triage.