concrete5 is a powerful CMS built around the idea of in-context editing.
- IMPORTANT: There are three types of issues we track here: Core CMS issues, concrete5.org community site issues, and add-on/theme issues from the marketplace at concrete5.org. We can not promise swag or absolute resolution on a fixed timeline for every issue, but we're eager to hear about what you've found regardless.
- Install a local copy of concrete5. This will let you test concrete5 without disrupting other users.
- IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY. Do not report configuration issues with
portlandlabs.com, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.
- For instructions on installing a local copy of concrete5, see the Installation Guide .
- We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word "crayons" somewhere in your report. If you do not, your report will be closed as invalid automatically.
These last 4 awesome rules have been copied almost verbatim
fromPhabricator, if you have extra time
to give, that's a great place to give it!
- Test on your copy. We're open source, so grab a copy from our site and install it locally . Beating on our trial servers or concrete5.org will not be well received.
- Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to ponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it so us over allocated curmudgeons understand the severity of our screw up. ;)
- Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the same. Report issues directly to us here.
- Addon's and Themes for concrete5 can be reported here, we will make every effort to forward information to the the author of the code. In cases where there is an 'open door' security issue we may get involved in issuing a fix ourselves. Please keep in mind that there are thousands of add-ons and themes for concrete5 that we didn't write, we will do the best we can to keep communication open and release schedules of your vulnerability reports clear.
- 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if they lead to severe/critical issues (below)
Levels of Severity
Open Door - A clear method where someone can immediately gain any type of
unintended administrative access through a bug in the system. This would put a
website at risk from an external attacker or a disgruntled editor with limited
permissions. It is a clear documented attack that always grants access to
someone who should not have it. This type of exploit would be considered a top
priority and would likely force an immediate point release of the core to
External Attack Vector - A bug that an external attacker might use in
conjunction with other techniques to gain access or get data. No
administrative access is required to exploit the bug. The bug does not provide
access on its own. It would have to be part of a larger attack, often
involving some social engineering. These are considered a high priority and
are typically patched immediately by the core team in github and launched in
the next version of the core.
Internal Attack Vector - A bug that requires someone already have some
type of administrative access to the CMS. This might just change the
experience of the CMS, or be part of a more complicated attack that might
hypothetically gain more access than they should have. These are considered
important to clean up over time.
- We will try to respond to most reports within 48 hours.
- We will fix open door security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.
- We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.
Out of Scope
The progam has been crawled by Firebounty on 2014-03-25 and updated on 2019-08-02, 232 reports have been received so far.