Files
tcms/SECURITY.md
T
Ty Clifford cebb0d3af1 -
2026-07-03 07:31:09 -04:00

54 lines
1.9 KiB
Markdown

# Security Policy
## Reporting a Vulnerability
If you believe you have found a security vulnerability in Bludit, please **do
not** open a public GitHub issue, post in discussions, or disclose it on social
media before it has been addressed.
Instead, report it privately through GitHub's Private Vulnerability Reporting:
**https://github.com/bludit/bludit/security/advisories/new**
This opens a private advisory visible only to the Bludit maintainers.
When reporting, please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce, including a proof of concept if possible.
- The Bludit version, PHP version, and webserver where you reproduced it.
- Any suggested mitigation or patch.
## What to Expect
- We aim to acknowledge new reports within **5 business days**.
- We will keep you informed as we investigate and work on a fix.
- Once a fix is released, we will publish a GitHub Security Advisory crediting
the reporter (unless you prefer to remain anonymous) and, where appropriate,
request a CVE.
## Supported Versions
Security fixes are provided for the **latest stable release** of Bludit on the
`master` branch. Older versions are not supported — please upgrade before
reporting issues against them.
## Scope
In scope:
- The Bludit core (`bl-kernel/`, `bl-plugins/` shipped with core, `bl-themes/`
shipped with core).
- The official admin interface.
Out of scope:
- Third-party plugins and themes not maintained in this repository.
- Issues that require an already-compromised admin account or server.
- Denial of service, rate-limiting, and brute-force concerns — these should be
handled at the infrastructure layer (reverse proxy / WAF / Cloudflare).
- Self-XSS, missing security headers without a demonstrated impact, and other
best-practice findings without a concrete exploit.
Thank you for helping keep Bludit and its users safe.