PortlandLabs manages the vulnerabilities in the Concrete core software, https://github.com/concrete5/concrete5. PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above.
Concrete core vulnerabilities are listed on NIST so that the community can take action to harden their sites.
To help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.
What is not in Scope
PortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:
Server configuration issues
Self DoS capability
Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community
Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.
3d Party libraries. The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.
Updates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete.
See concrete Core Releases. Release notes detail the security fixes that are made. Future releases will detail CVEs that are remediated in that release.
We use the versioning scheme MAJOR.MINOR.PATCH
MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)
MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)
PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number. (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)
Reporting a Security Issue
Report Via HackerOne
Please report Concrete core vulnerabilities via HackerOne which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts.
Avoid Duplicate Reporting
Check the NIST page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate.
If a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.
Only the first submitter will be credited for the vulnerability discovery.
Please install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or our websites will not be well-received.
We greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.
Rule Acknowledgement required to Report
We receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word "crayons" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.
Do Not Disclose
Please be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.
Vulnerabilities will not be disclosed until a fix is publicly available.
We've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.
What We Do
Keeping You in the Loop
Since we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt.
We will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability.
We will apprise you once a CVE # is assigned.
We will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter.
Vulnerability Management Process
All security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process.
CVSS 3.1 Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score.
Note that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access.
We cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:
Critical: CVSS 3.1 Score 9-10 30 Days
High: CVSS 3.1 Score 7.0-8.9 90 Days
PortlandLabs will ensure that CVE entry details are sent to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.
IF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email email@example.com