-
This commit is contained in:
+53
@@ -0,0 +1,53 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you believe you have found a security vulnerability in Bludit, please **do
|
||||
not** open a public GitHub issue, post in discussions, or disclose it on social
|
||||
media before it has been addressed.
|
||||
|
||||
Instead, report it privately through GitHub's Private Vulnerability Reporting:
|
||||
|
||||
**https://github.com/bludit/bludit/security/advisories/new**
|
||||
|
||||
This opens a private advisory visible only to the Bludit maintainers.
|
||||
|
||||
When reporting, please include:
|
||||
|
||||
- A clear description of the vulnerability and its impact.
|
||||
- Steps to reproduce, including a proof of concept if possible.
|
||||
- The Bludit version, PHP version, and webserver where you reproduced it.
|
||||
- Any suggested mitigation or patch.
|
||||
|
||||
## What to Expect
|
||||
|
||||
- We aim to acknowledge new reports within **5 business days**.
|
||||
- We will keep you informed as we investigate and work on a fix.
|
||||
- Once a fix is released, we will publish a GitHub Security Advisory crediting
|
||||
the reporter (unless you prefer to remain anonymous) and, where appropriate,
|
||||
request a CVE.
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Security fixes are provided for the **latest stable release** of Bludit on the
|
||||
`master` branch. Older versions are not supported — please upgrade before
|
||||
reporting issues against them.
|
||||
|
||||
## Scope
|
||||
|
||||
In scope:
|
||||
|
||||
- The Bludit core (`bl-kernel/`, `bl-plugins/` shipped with core, `bl-themes/`
|
||||
shipped with core).
|
||||
- The official admin interface.
|
||||
|
||||
Out of scope:
|
||||
|
||||
- Third-party plugins and themes not maintained in this repository.
|
||||
- Issues that require an already-compromised admin account or server.
|
||||
- Denial of service, rate-limiting, and brute-force concerns — these should be
|
||||
handled at the infrastructure layer (reverse proxy / WAF / Cloudflare).
|
||||
- Self-XSS, missing security headers without a demonstrated impact, and other
|
||||
best-practice findings without a concrete exploit.
|
||||
|
||||
Thank you for helping keep Bludit and its users safe.
|
||||
Reference in New Issue
Block a user