Files
tcms/SECURITY.md
T
Ty Clifford cebb0d3af1 -
2026-07-03 07:31:09 -04:00

1.9 KiB

Security Policy

Reporting a Vulnerability

If you believe you have found a security vulnerability in Bludit, please do not open a public GitHub issue, post in discussions, or disclose it on social media before it has been addressed.

Instead, report it privately through GitHub's Private Vulnerability Reporting:

https://github.com/bludit/bludit/security/advisories/new

This opens a private advisory visible only to the Bludit maintainers.

When reporting, please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce, including a proof of concept if possible.
  • The Bludit version, PHP version, and webserver where you reproduced it.
  • Any suggested mitigation or patch.

What to Expect

  • We aim to acknowledge new reports within 5 business days.
  • We will keep you informed as we investigate and work on a fix.
  • Once a fix is released, we will publish a GitHub Security Advisory crediting the reporter (unless you prefer to remain anonymous) and, where appropriate, request a CVE.

Supported Versions

Security fixes are provided for the latest stable release of Bludit on the master branch. Older versions are not supported — please upgrade before reporting issues against them.

Scope

In scope:

  • The Bludit core (bl-kernel/, bl-plugins/ shipped with core, bl-themes/ shipped with core).
  • The official admin interface.

Out of scope:

  • Third-party plugins and themes not maintained in this repository.
  • Issues that require an already-compromised admin account or server.
  • Denial of service, rate-limiting, and brute-force concerns — these should be handled at the infrastructure layer (reverse proxy / WAF / Cloudflare).
  • Self-XSS, missing security headers without a demonstrated impact, and other best-practice findings without a concrete exploit.

Thank you for helping keep Bludit and its users safe.