[{"id":3745365,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs.  You may report vulnerabilities for products listed in the Concrete Marketplace via this Concrete Core HackerOne and we will inform the independent developer. However, we  do not create and manage CVEs for them.  \n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core and marketplace addon vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. Marketplace addon vulnerabilities will be closed as \"informative\" and the independent developer of the addon will be informed. HackerOne provides a monitored method to report, track and communicate remediation for Concrete Core vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will automatically flagged by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nConcrete CMS is a CVE Certificate Naming Authority (CNA) and hence publishes CVEs for active versions of Concrete CMS.  We attempt to publish CVEs within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-27T17:48:50.421Z"},{"id":3745256,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs.  You may report vulnerabilities for products listed in the Concrete Marketplace via this Concrete Core HackerOne and we will inform the independent developer. However, we  do not create and manage CVEs for them.  \n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core and marketplace vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. Marketplace vulnerabilities will be closed as \"informative\" and the independent developer of the AddOn will be informed. HackerOne provides a monitored method to report, track and communicate remediation for Concrete Core vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will automatically flagged by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nConcrete CMS is a CVE Certificate Naming Authority (CNA) and hence publishes CVEs for active versions of Concrete CMS.  We attempt to publish CVEs within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-25T21:43:00.390Z"},{"id":3745255,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs.  You may report vulnerabilities for products listed in the Concrete Marketplace via this Concrete Core HackerOne and we will inform the independent developer. However, we  do not create and manage CVEs for them.  \n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core and marketplace vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. Marketplace vulnerabilities will be closed as \"informative\" and the independent developer of the AddOn will be informed. HackerOne provides a monitored method to report, track and communicate remediation for Concrete Core vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will automatically flagged by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-25T21:41:00.769Z"},{"id":3745254,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs.  You may report vulnerabilities for products listed in the Concrete Marketplace and we will inform the independent developer. However, we  do not create and manage CVEs for them.  \n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core and marketplace vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. Marketplace vulnerabilities will be closed as \"informative\" and the independent developer of the AddOn will be informed. HackerOne provides a monitored method to report, track and communicate remediation for Concrete Core vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will automatically flagged by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-25T21:38:04.160Z"},{"id":3699349,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will automatically flagged by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-02T16:03:37.296Z"},{"id":3699348,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as automatically flagged by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-02T16:03:26.309Z"},{"id":3699346,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-02T15:58:33.187Z"},{"id":3666113,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for [supported versions of Concrete](https://documentation.concretecms.org/developers/introduction/system-requirements). \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-04T00:45:18.950Z"},{"id":3666112,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues** - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-04T00:25:12.765Z"},{"id":3666111,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report**\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [Concrete Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-04T00:23:56.191Z"},{"id":3666110,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues - we recommend that you check [Concrete CMS Configuration Best Practices](https://documentation.concretecms.org/developers/introduction/configuration-best-practices) which contain some important configurations that may solve what you are about to report**\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [concrete5 Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will request HackerOne to send CVE entry details to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n  \n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concretecms.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-04T00:20:25.148Z"},{"id":3666108,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server or CMS configuration issues - we recommend that you check [https://documentation.concretecms.org/developers/introduction/configuration-best-practices](Concrete CMS Configuration Best Practices) which contain some important configurations that may solve what you are about to report**\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [concrete5 Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3\u0026keyword=concrete) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will ensure that CVE entry details are sent to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n  \n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concrete5.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-04T00:11:14.469Z"},{"id":3662678,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026query=concrete\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server configuration issues**\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [concrete5 Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Future releases will detail CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3\u0026keyword=concrete) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will ensure that CVE entry details are sent to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n  \n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concrete5.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-07T23:04:31.395Z"},{"id":3644595,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3\u0026keyword=concrete) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   **Server configuration issues**\n    \n*   **Default Credentials**\n    \n*   **CSRF Logout**\n    \n*   **Self DoS capability**\n    \n*   **Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community** \n    *   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*  **3d Party libraries.** \n    *   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [concrete5 Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Future releases will detail CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. \n\n### Currently not accepting reports for the community site - concrete5.org \n\nWe are actively working to upgrade the concrete5.org site and request that you hold off reporting vulnerabilities for the community site at this time. Should you choose to submit a report for concrete5.org, we will acknowledge your submission, and we might take action, but please understand that no information updates will be provided. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3\u0026keyword=concrete) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will ensure that CVE entry details are sent to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n  \n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concrete5.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-30T17:33:51.492Z"},{"id":3644594,"new_policy":"[PortlandLabs Inc](https://portlandlabs.com) is the creator and maintainer of the open source content management system [Concrete CMS](https://www.concrete5.org/) (also known as concrete5 or Concrete).\n\nScope\n=====\n\nPortlandLabs manages the vulnerabilities in the Concrete core software, [https://github.com/concrete5/concrete5](https://github.com/concrete5/concrete5). PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above. \n\nConcrete core vulnerabilities are listed on [NIST](https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3\u0026keyword=concrete) so that the community can take action to harden their sites.\n\nTo help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.\n\n-----\n\nWhat is not in Scope\n====================\n\nPortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:\n\n*   ### Server configuration issues\n    \n*   ### Default Credentials\n    \n*   ### CSRF Logout\n    \n*   ### Self DoS capability\n    \n*   ### Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community \n    \n\n*   Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.\n    \n\n*   ### 3d Party libraries. \n    \n\n*   The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.\n    \n\n  \n\n-------\n\nPatched Versions\n================\n\nUpdates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. \n\nSee [concrete5 Core Releases](https://www.concrete5.org/about/blog/core-releases). Release notes detail the security fixes that are made. Future releases will detail CVEs that are remediated in that release. \n\nWe use the versioning scheme MAJOR.MINOR.PATCH\n\n*   MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)\n    \n*   MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)\n    \n*   PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)\n    \n\nWant to Report a Security Vulnerability? \n=========================================\n\n### Report Via HackerOne\n\nPlease report Concrete core vulnerabilities via [HackerOne](https://hackerone.com/concrete5?type=team) which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. \n\n### Currently not accepting reports for the community site - concrete5.org \n\nWe are actively working to upgrade the concrete5.org site and request that you hold off reporting vulnerabilities for the community site at this time. Should you choose to submit a report for concrete5.org, we will acknowledge your submission, and we might take action, but please understand that no information updates will be provided. \n\n### Avoid Duplicate Reporting\n\nCheck the [NIST](https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3\u0026keyword=concrete) page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. \n\nIf a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.\n\nOnly the first submitter will be credited for the vulnerability discovery.\n\n### Respect Others\n\nPlease install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.\n\nSee the [Installation Guide](https://www.concrete5.org/documentation/developers/5.7/installation) to [download Concrete](https://www.concrete5.org/download) \n\n### Be Clear\n\nWe greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.\n\n### Rule Acknowledgement required to Report\n\nWe receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.\n\n### Do Not Disclose\n\nPlease be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.\n\nVulnerabilities will not be disclosed until a fix is publicly available. \n\nReporters are expected to follow the [HackerOne General Terms](https://www.hackerone.com/terms/general) and [Finder Terms](https://www.hackerone.com/terms/finder). \n\n### Credit\n\nWe've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. \n\n  \n\nWhat We Do \n===========\n\nKeeping You in the Loop\n-----------------------\n\nSince we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt. \n\nWe will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. \n\nWe will apprise you once a CVE # is assigned. \n\nWe will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. \n\n  \n\nVulnerability Management Process\n--------------------------------\n\nAll security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process. \n\n### Risk Ranking\n\n[CVSS 3.1](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. \n\nNote that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. \n\n### Remediation\n\nWe cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:\n\nCritical: CVSS 3.1 Score 9-10  30 Days \n\nHigh: CVSS 3.1 Score 7.0-8.9  90 Days\n\n### **CVE Management**\n\nPortlandLabs will ensure that CVE entry details are sent to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.\n\n  \n\nIF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email **security@concrete5.org**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-30T17:31:30.263Z"},{"id":3569390,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing.\nRead This\n=========\n* IMPORTANT: There are three types of issues we track here: Core CMS issues, concrete5.org community site issues, and add-on/theme issues from the marketplace at concrete5.org. We can not promise swag or absolute resolution on a fixed timeline for every issue, but we're eager to hear about what you've found regardless. \n* Install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 can be reported here, we will make every effort to forward information to the the author of the code. In cases where there is an 'open door' security issue we may get involved in issuing a fix ourselves. Please keep in mind that there are thousands of add-ons and themes for concrete5 that we didn't write, we will do the best we can to keep communication open and release schedules of your vulnerability reports clear.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n\n\nLevels of Severity\n======\n**Open Door** - A clear method where someone can immediately gain any type of unintended administrative access through a bug in the system. This would put a website at risk from an external attacker or a disgruntled editor with limited permissions. It is a clear documented attack that always grants access to someone who should not have it. This type of exploit would be considered a top priority and would likely force an immediate point release of the core to resolve. \n\n**External Attack Vector** - A bug that an external attacker might use in conjunction with other techniques to gain access or get data. No administrative access is required to exploit the bug. The bug does not provide access on its own. It would have to be part of a larger attack, often involving some social engineering. These are considered a high priority and are typically patched immediately by the core team in github and launched in the next version of the core. \n\n**Internal Attack Vector** - A bug that requires someone already have some type of administrative access to the CMS. This might just change the experience of the CMS, or be part of a more complicated attack that might hypothetically gain more access than they should have. These are considered important to clean up over time. \n\nResponse\n=======\n* We will try to respond to most reports within 48 hours.\n* We will fix ___open door___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-21T19:04:53.244Z"},{"id":2500633,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* IMPORTANT: There are three types of issues we track here: Core CMS issues, concrete5.org community site issues, and add-on/theme issues from the marketplace at concrete5.org. We can not promise swag or absolute resolution on a fixed timeline for every issue, but we're eager to hear about what you've found regardless. \n* Install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 can be reported here, we will make every effort to forward information to the the author of the code. In cases where there is an 'open door' security issue we may get involved in issuing a fix ourselves. Please keep in mind that there are thousands of add-ons and themes for concrete5 that we didn't write, we will do the best we can to keep communication open and release schedules of your vulnerability reports clear.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n\n\nLevels of Severity\n======\n**Open Door** - A clear method where someone can immediately gain any type of unintended administrative access through a bug in the system. This would put a website at risk from an external attacker or a disgruntled editor with limited permissions. It is a clear documented attack that always grants access to someone who should not have it. This type of exploit would be considered a top priority and would likely force an immediate point release of the core to resolve. \n\n**External Attack Vector** - A bug that an external attacker might use in conjunction with other techniques to gain access or get data. No administrative access is required to exploit the bug. The bug does not provide access on its own. It would have to be part of a larger attack, often involving some social engineering. These are considered a high priority and are typically patched immediately by the core team in github and launched in the next version of the core. \n\n**Internal Attack Vector** - A bug that requires someone already have some type of administrative access to the CMS. This might just change the experience of the CMS, or be part of a more complicated attack that might hypothetically gain more access than they should have. These are considered important to clean up over time. \n\nResponse\n=======\n* We will try to respond to most reports within 48 hours.\n* We will fix ___open door___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-15T18:25:01.250Z"},{"id":2500632,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: There are three types of issues we track here: Core CMS issues, concrete5.org community site issues, and add-on/theme issues from the marketplace at concrete5.org. We can not promise swag or absolute resolution on a fixed timeline for every issue, but we're eager to hear about what you've found regardless. \n* __Install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 can be reported here, we will make every effort to forward information to the the author of the code. In cases where there is an 'open door' security issue we may get involved in issuing a fix ourselves. Please keep in mind that there are thousands of add-ons and themes for concrete5 that we didn't write, we will do the best we can to keep communication open and release schedules of your vulnerability reports clear.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n\n\nLevels of Severity\n======\n**Open Door** - A clear method where someone can immediately gain any type of unintended administrative access through a bug in the system. This would put a website at risk from an external attacker or a disgruntled editor with limited permissions. It is a clear documented attack that always grants access to someone who should not have it. This type of exploit would be considered a top priority and would likely force an immediate point release of the core to resolve. \n\n**External Attack Vector** - A bug that an external attacker might use in conjunction with other techniques to gain access or get data. No administrative access is required to exploit the bug. The bug does not provide access on its own. It would have to be part of a larger attack, often involving some social engineering. These are considered a high priority and are typically patched immediately by the core team in github and launched in the next version of the core. \n\n**Internal Attack Vector** - A bug that requires someone already have some type of administrative access to the CMS. This might just change the experience of the CMS, or be part of a more complicated attack that might hypothetically gain more access than they should have. These are considered important to clean up over time. \n\nResponse\n=======\n* We will try to respond to most reports within 48 hours.\n* We will fix ___open door___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-15T18:24:37.756Z"},{"id":2500631,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: There are three types of issues we track here: Core CMS issues, concrete5.org community site issues, and add-on/theme issues from the marketplace at concrete5.org. We can not promise swag or absolute resolution on a fixed timeline for every issue, but we're eager to hear about what you've found regardless. \n*___Install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 can be reported here, we will make every effort to forward information to the the author of the code. In cases where there is an 'open door' security issue we may get involved in issuing a fix ourselves. Please keep in mind that there are thousands of add-ons and themes for concrete5 that we didn't write, we will do the best we can to keep communication open and release schedules of your vulnerability reports clear.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n\n\nLevels of Severity\n======\n**Open Door** - A clear method where someone can immediately gain any type of unintended administrative access through a bug in the system. This would put a website at risk from an external attacker or a disgruntled editor with limited permissions. It is a clear documented attack that always grants access to someone who should not have it. This type of exploit would be considered a top priority and would likely force an immediate point release of the core to resolve. \n\n**External Attack Vector** - A bug that an external attacker might use in conjunction with other techniques to gain access or get data. No administrative access is required to exploit the bug. The bug does not provide access on its own. It would have to be part of a larger attack, often involving some social engineering. These are considered a high priority and are typically patched immediately by the core team in github and launched in the next version of the core. \n\n**Internal Attack Vector** - A bug that requires someone already have some type of administrative access to the CMS. This might just change the experience of the CMS, or be part of a more complicated attack that might hypothetically gain more access than they should have. These are considered important to clean up over time. \n\nResponse\n=======\n* We will try to respond to most reports within 48 hours.\n* We will fix ___open door___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-15T18:24:05.081Z"},{"id":1889100,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: DO NOT TEST `concrete5.org`.__ Do not test an install of concrete5 that you do not own. This includes `concrete5.org` and any other existing install you might find. If you report an issue against `concrete5.org` or another install you do not own, it will not be accepted. Instead, install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 should not be reported here, you should contact the author of the code.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n* For issues affecting only concrete5.org or other sites run by Portland Labs, please email security [at] concrete5.org with a detailed report.\n\nLevels of Severity\n======\n**Open Door** - A clear method where someone can immediately gain any type of unintended administrative access through a bug in the system. This would put a website at risk from an external attacker or a disgruntled editor with limited permissions. It is a clear documented attack that always grants access to someone who should not have it. This type of exploit would be considered a top priority and would likely force an immediate point release of the core to resolve. \n\n**External Attack Vector** - A bug that an external attacker might use in conjunction with other techniques to gain access or get data. No administrative access is required to exploit the bug. The bug does not provide access on its own. It would have to be part of a larger attack, often involving some social engineering. These are considered a high priority and are typically patched immediately by the core team in github and launched in the next version of the core. \n\n**Internal Attack Vector** - A bug that requires someone already have some type of administrative access to the CMS. This might just change the experience of the CMS, or be part of a more complicated attack that might hypothetically gain more access than they should have. These are considered important to clean up over time. \n\nResponse\n=======\n* We will try to respond to most reports within 48 hours.\n* We will fix ___severe___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-10-05T20:01:57.500Z"},{"id":1564939,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: DO NOT TEST `concrete5.org`.__ Do not test an install of concrete5 that you do not own. This includes `concrete5.org` and any other existing install you might find. If you report an issue against `concrete5.org` or another install you do not own, it will not be accepted. Instead, install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 should not be reported here, you should contact the author of the code.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n* For issues affecting only concrete5.org or other sites run by Portland Labs, please email security [at] concrete5.org with a detailed report.\n\nLevels of Severity\n======\n* __A severe issue__. Someone with no access can get editor/admin access to a concrete5 site when they should not. This is a huge deal and we will be all over it.\n* __A critical issue.__ Someone with no access can do something that might impact someone who does have access. (IE: SQL injection from a form anyone can get at)\n* __A medium issue.__ Someone who already has editor/admin access can do something they shouldn't. Typically it's SQL injection or cross site scripting vulnerabilities but they require you already \nto have access to the dashboard. Being able to get a level of access greater than what you are supposed to have would likely graduate a vulnerability into a critical or severe issue in our eyes.\n* __A minor issue.__ Something that's less than ideal, but can't be used to do anything nefarious today. Things that only impact the browsing experience of the person attacking likely fall into this \ncategory.\n\nResponse\n=======\n* We will try to respond to most reports within 48 hours.\n* We will fix ___severe___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-17T18:32:37.123Z"},{"id":1564936,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: DO NOT TEST `concrete5.org`.__ Do not test an install of concrete5 that you do not own. This includes `concrete5.org` and any other existing install you might find. If you report an issue against `concrete5.org` or another install you do not own, it will not be accepted. Instead, install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 should not be reported here, you should contact the author of the code.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n* For issues affecting only concrete5.org or other sites run by Portland Labs, please email security [at] concrete5.org with a detailed report.\n\nLevels of Severity\n======\n* __A severe issue__. Someone with no access can get editor/admin access to a concrete5 site when they should not. This is a huge deal and we will be all over it.\n* __A critical issue.__ Someone with no access can do something that might impact someone who does have access. (IE: SQL injection from a form anyone can get at)\n* __A medium issue.__ Someone who already has editor/admin access can do something they shouldn't. Typically it's SQL injection or cross site scripting vulnerabilities but they require you already \nto have access to the dashboard. Being able to get a level of access greater than what you are supposed to have would likely graduate a vulnerability into a critical or severe issue in our eyes.\n* __A minor issue.__ Something that's less than ideal, but can't be used to do anything nefarious today. Things that only impact the browsing experience of the person attacking likely fall into this \ncategory.\n\nResponse\n=======\n* We will try torespond to most reports within 48 hours.\n* We will fix ___severe___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-17T18:32:31.090Z"},{"id":1564932,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: DO NOT TEST `concrete5.org`.__ Do not test an install of concrete5 that you do not own. This includes `concrete5.org` and any other existing install you might find. If you report an issue against `concrete5.org` or another install you do not own, it will not be accepted. Instead, install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 should not be reported here, you should contact the author of the code.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n* For issues affecting only concrete5.org or other sites run by Portland Labs, please email security [at] concrete5.org with a detailed report.\n\nLevels of Severity\n======\n* __A severe issue__. Someone with no access can get editor/admin access to a concrete5 site when they should not. This is a huge deal and we will be all over it.\n* __A critical issue.__ Someone with no access can do something that might impact someone who does have access. (IE: SQL injection from a form anyone can get at)\n* __A medium issue.__ Someone who already has editor/admin access can do something they shouldn't. Typically it's SQL injection or cross site scripting vulnerabilities but they require you already \nto have access to the dashboard. Being able to get a level of access greater than what you are supposed to have would likely graduate a vulnerability into a critical or severe issue in our eyes.\n* __A minor issue.__ Something that's less than ideal, but can't be used to do anything nefarious today. Things that only impact the browsing experience of the person attacking likely fall into this \ncategory.\n\nResponse\n=======\n* We will respond to most reports within 48 hours.\n* We will fix ___severe___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got some limited swag and lots of honor for those who submit issues related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-17T18:31:14.676Z"},{"id":1564880,"new_policy":"concrete5 is a powerful CMS built around the idea of in-context editing. It's a mature product with lots of IO, so there's lots of opportunities to find less than perfect code. ;) \n\nRead This\n=========\n* __IMPORTANT: DO NOT TEST `concrete5.org`.__ Do not test an install of concrete5 that you do not own. This includes `concrete5.org` and any other existing install you might find. If you report an issue against `concrete5.org` or another install you do not own, it will not be accepted. Instead, install a local copy of concrete5. This will let you test concrete5 without disrupting other users.\n* __IMPORTANT: SERVER CONFIGURATION ISSUES DO NOT QUALIFY.__ Do not report configuration issues with `concrete5.org`, `portlandlabs.com`, etc. For example: software versions, SPF headers, etc. These are outside of program scope. The goal of this program is to find vulnerabilities in the concrete5 CMS software itself.\n* For instructions on installing a local copy of concrete5, see the [Installation Guide](http://www.concrete5.org/documentation/developers/5.7/installation).\n* We receive many reports from researchers who do not read these rules. To prove that you've read and understood these rules, please include the word \"crayons\" somewhere in your report. If you do not, your report will be closed as invalid automatically.\n\n***These last 4 awesome rules have been copied almost verbatim from [Phabricator](https:////hackerone.com/phabricator), if you have extra time to give, that's a great place to give it!***\n\nRequirements\n============ \n\n* Test on your copy. We're open source, so [grab a copy from our site](http://www.concrete5.org/developers/downloads/) and [install it locally](http://www.concrete5.org/documentation/developers/5.7/installation). Beating on our trial servers or concrete5.org will not be well received.\n* Be clear. We totally get that you're not paid to do this. Here's a coincidence, neither are we! There's no huge corporate benefactor behind concrete5 today, so we're not in a position to \nponder your terse report that's steeped in insider snark to guess at what you meant. You spent the time finding the issue, muster an extra 2 minutes to spell out what you're able to do with it \nso us over allocated curmudgeons understand the severity of our screw up. ;)\n* Be responsible. We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you're here for the \nsame. Report issues directly to us here.\n* Addon's and Themes for concrete5 should not be reported here, you should contact the author of the code.\n* 3rd Party Stuff. We use jQuery, ADODB, TinyMCE, some Zend Libraries, etc.. If you find an issue entirely within one of our included solutions, we're of course interested, but likely only if \nthey lead to severe/critical issues (below)\n* For issues affecting only concrete5.org or other sites run by Portland Labs, please email security [at] concrete5.org with a detailed report.\n\nLevels of Severity\n======\n* __A severe issue__. Someone with no access can get editor/admin access to a concrete5 site when they should not. This is a huge deal and we will be all over it.\n* __A critical issue.__ Someone with no access can do something that might impact someone who does have access. (IE: SQL injection from a form anyone can get at)\n* __A medium issue.__ Someone who already has editor/admin access can do something they shouldn't. Typically it's SQL injection or cross site scripting vulnerabilities but they require you already \nto have access to the dashboard. Being able to get a level of access greater than what you are supposed to have would likely graduate a vulnerability into a critical or severe issue in our eyes.\n* __A minor issue.__ Something that's less than ideal, but can't be used to do anything nefarious today. Things that only impact the browsing experience of the person attacking likely fall into this \ncategory.\n\nResponse\n=======\n* We will respond to most reports within 48 hours.\n* We will fix ___severe___ security issues within 48 hours of confirming them, all other issues will be fixed within a reasonable timeline as determined after triage.\n* We've got swag and honor for those who submit issues, but no cash. Type of swag will be determined on a case to case basis.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-17T18:17:54.470Z"}]