PLEASE DO NOT DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, SEE BELOW.
If you discover a security vulnerability, please follow these guidelines before submitting a report. We take security seriously and aim to resolve security issues promptly.
When identifying potential security vulnerabilities, kindly adhere to the following:
- Share in private any discovered issues with us via our website as soon as possible
- Allow us reasonable time to address and release fixes for reported issues before making them public, preferably 90 days
- Provide a well-detailed report with precise explanations and practical attack scenarios
- Only report issues that fall within the scope defined below
We are interested in vulnerabilities that affect October CMS or first-party October CMS plugins, tested on locally installed software running the latest version. You can install a local copy of October CMS by following these installation instructions. Please do not test against any October CMS installation you do not own, including our website.
We are interested in the following as vulnerabilities:
- SQL Injection
- Session Hijacking
- Privilege Escalation
- Arbitrary Code Execution
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
We may not accept the following as vulnerabilities:
- Bugs relying on unlikely user interactions (i.e. the user attacking themselves)
- Reports generated by automated tools or scanners
- Theoretical attacks without proof of exploitability
- Attacks preventable by following our security recommendations
- Server configuration issues outside of our control
- Username or email address enumeration
- Issues resulting from users disregarding common security best practices (e.g. publicly sharing a password)
- Vulnerabilities affecting users of outdated / unsupported browsers or platforms
- Vulnerabilities affecting outdated versions of October CMS
If you find vulnerabilities or attacks resulting from third-party October CMS plugins or themes, they should be reported to the author directly. If the author does not respond, please contact us to escalate the issue. Attacks resulting from third-party libraries should be reported to the library maintainers. Attacks caused by malicious code (malware) should be reported directly to us.