1.9 KiB
1.9 KiB
Security Policy
Reporting a Vulnerability
If you believe you have found a security vulnerability in Bludit, please do not open a public GitHub issue, post in discussions, or disclose it on social media before it has been addressed.
Instead, report it privately through GitHub's Private Vulnerability Reporting:
https://github.com/bludit/bludit/security/advisories/new
This opens a private advisory visible only to the Bludit maintainers.
When reporting, please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce, including a proof of concept if possible.
- The Bludit version, PHP version, and webserver where you reproduced it.
- Any suggested mitigation or patch.
What to Expect
- We aim to acknowledge new reports within 5 business days.
- We will keep you informed as we investigate and work on a fix.
- Once a fix is released, we will publish a GitHub Security Advisory crediting the reporter (unless you prefer to remain anonymous) and, where appropriate, request a CVE.
Supported Versions
Security fixes are provided for the latest stable release of Bludit on the
master branch. Older versions are not supported — please upgrade before
reporting issues against them.
Scope
In scope:
- The Bludit core (
bl-kernel/,bl-plugins/shipped with core,bl-themes/shipped with core). - The official admin interface.
Out of scope:
- Third-party plugins and themes not maintained in this repository.
- Issues that require an already-compromised admin account or server.
- Denial of service, rate-limiting, and brute-force concerns — these should be handled at the infrastructure layer (reverse proxy / WAF / Cloudflare).
- Self-XSS, missing security headers without a demonstrated impact, and other best-practice findings without a concrete exploit.
Thank you for helping keep Bludit and its users safe.