This is the Vulnerability Disclosure Program for UsingJoomla.com
This website uses the Joomla Content Management System (CMS) as well as a number of associated Extensions, Plugins, Modules, and Components in order to bring features that improve user experience.
Terminology and meanings
In this Vulnerability Disclosure Program Policy Document, the following words have the corresponding meaning(s)
'We' 'Us' 'Our' 'this website' - means UsingJoomla.com
'You' 'Your' - the person reading this document, the Researcher.
'Researcher' 'Security Researcher' - means the person who is researching, or looking for, one or more vulnerability.
'This Policy' 'This Document' 'this Policy Document' - means this Vulnerability Disclosure Program Policy Document that You are reading right now.
Vulnerability Disclosure Program Document - Main Body
We are committed to
- Investigating Security issues
- Resolving Security issues
- Working in collaboration with the Security community
- Responding actively and promptly to actual or potential Security issues
We welcome the work, and reports, of Security Researchers - sometimes known as 'Ethical Hackers'.
Security Researchers, and users, who discover a vulnerability, should follow the below guidlines
You should not
- Use high-intensity, invasive or destructive technical security scanning tools to find vulnerabilities
- Modify data within Our systems or services
- Introduce malicious software
- Social engineer, 'phish' or physically attack Our staff, users, or infrastructure
- Disclose any vulnerabilities to third-parties, or the public, prior to Us confirming that those vulnerabilities have been mitigated or rectified
- Send unsolicited electronic mail to Us or Our users, including “phishing” messages
- Violate the privacy of Our users, staff, contractors, services or systems. For example, by sharing, redistributing and/or not properly securing data retrieved from Our systems or services
- Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities, such as a Direct Object Reference vulnerability
- Test in a manner which could degrade the operation Our systems; or intentionally impair, disrupt, or disable Our systems
- Execute, or attempt to execute, Denial of Service (DoS) or Resource Exhaustion attacks
- Require financial compensation in order to disclose any vulnerabilities such as holding Us to ransom
- Delete, alter, share, retain, or destroy Our data, or render Our data inaccessible
- Use an exploit to compromise, steal, remove data, establish command line access and/or persistence, or use the exploit to pivot to other systems
Security Researchers should
- Delete securely any and all data retrieved during Your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first
- Cease testing and notify Us immediately upon discovery of a vulnerability
- Cease testing and notify Us immediately upon discovery of an exposure of non-public data
Nothing in this Vulnerability Disclosure Program Policy / Document is intended to stop You notifying a vulnerability to third-parties for whom the vulnerability is directly relevant. An example is where the vulnerability being reported is in a third-party software library, framework, extension, plugin, or component. Details of the specific vulnerability as it applies to Us must not be referenced in such reports.
If You make a good faith effort to comply with this Vulnerability Disclosure Program during Your security research, We will consider Your research to be authorised, We will work with You to understand and resolve the issue quickly, and We will not recommend or pursue legal action related to Your research.
Under this Vulnerability Disclosure Program Policy Document, research means activities in which You
- Notify Us as soon as possible after You discover a real or potential security issue
- You do not intentionally compromise the privacy or safety of Our personnel or any third-party
- Provide Us with a reasonable amount of time to resolve the issue before You disclose it publicly
- You do not intentionally compromise the intellectual property or other commercial or financial interests of Our personnel or entities, or any third-party
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- Only use exploits to the extent necessary to confirm the presence of one, or more, vulnerability
Security Researchers may
- View or store Our non-public data only to the extent necessary to document the presence of a potential vulnerability
What to tell Us
In Your report please include details of
- the page where the vulnerability can be observed
- a description of the type of vulnerability, for example “XSS vulnerability”
- steps to reproduce:
- these should be a benign, non-destructive, proof of concept
When You disclose a vulnerability to Us, We collect your name, email address and all details provided by You. We retain such information for administrative purposes, and to be able to respond to You and track further correspondence during the investigation of the reported vulnerability.
When You disclose a vulnerability to Us, You agree to the use of your personal information as stated above.
Joomla as a Content Managagement System has their own Vulnerabilty reporting mechanism which can be found at joomla.org/security.html the use of this avenue should also be considered.
Sending Vulnerability Reports To Us
Reporting one, or more, vulnerability to Us may be done so via: security[at]usingjoomla[dot]com
Non-Vulnerability related messages sent to the above address will not be replied to and will be deleted without further notice.
This Vulnerability Disclosure Program Policy Document was written on 18th June 2023, and may be reviewed / updated at any time.