| Version | Supported |
|---|---|
| 3.0.x | ✅ |
| 2.1.x | ✅ |
| 2.0.x | ✅ |
| 1.x | ❌ |
To report a security issue use one of the following
Security Form We prefer to receive security reports via our security form. Please include all relevant information in your report.
Security Advisories in GitHub may be used
You can email us using the standard security@ for our main website, (Simple Machines)[https://simplemachines.org].
When we receive your report, it will be validated with our team. This includes testing the vulnerabilities. We don't require a Proof of Concept script/tool, but we do welcome them as they can improve the ability to validate the report and test against the patches.
Once validated, our team will work on patching. We offer to let the reporters receive the beta versions of the patch file that will go out; however, more minor vulnerabilities tend to be fixed in public repositories.
Due to our small team size and because we are all volunteers, we do not have timelines we can give beyond estimates. With a small team, it takes a bit of coordination to ensure we have enough members around to do the release process, have a backup person should something happen during the release process, and have additional members verify that everything is being updated on various pages.
We are open to giving credits to individuals or organizations for proper reporting and keeping the issue private until we have made the release. We will ask you after we validate this. We reserve the right to refuse or limit how we credit. We typically do not provide credits for publicly known vulnerabilities or if the information is released before we make the official release.
As a donation and ad-supported project, we do not have the funds to pay for the bounties.
We may offer beta tester access on our community forums to those who continue reporting. This provides you with the released beta patches, which may include patched security vulnerabilities not yet publicly visible in our git repository.
Thank you to all those who helped us by scanning our repositories and reviewing our code. Your efforts go a long way to ensuring our community is receiving a secure product to use.