For responsible disclosure of a possible security vulnerability in Umbraco CMS, Umbraco Cloud, Umbraco Forms or Courier, we'd like you to follow these guidelines.
This way we get all the information we need in order to take appropriate and timely action. Thus, we ask you to report it directly to us thus, not to report the vulnerability in any public forums (like GitHub) etc. to ensure that it does not get exploited in the wild.
How to report a vulnerability
- Reach out to us directly at security@umbraco.com
- Make sure to provide us with as much and thorough information as you can
- If necessary, you may PGP encrypt your email. Our public key is 0x772416F630362CA2 (also to be found on https://keyserver.pgp.com/ and https://keybase.io/umbraco)
What we expect from you
In order for us to fix and handle the vulnerability appropriately, we need your help. We need you to:
-
Not tell anyone about the problem until we have fixed it. You will also not submit it as a CVE during this time.
- Make sure to verify your claim of a security vulnerability by sharing a proof of concept
-
Reporting the results of an automated scan is usually not helpful. Please send us proof on how you think an attacker could exploit each of the scan results.
What'll happen next?
We will acknowledge receipt of your vulnerability report ASAP, usually within 1 business day. If we take the security issue further, we'll send you regular updates about our progress. As an acknowledgement of your contribution, we offer to publicly acknowledge your disclosure.
If your security vulnerability gets merged, we'll communicate about it along with a fix in a public security advisory on the Umbraco blog.
List of security contributors
We'd like to thank the contributors for their amazing efforts in making Umbraco safer, and we've therefore gathered a dedicated list of Umbraco security contributors.
The people listed here, are all the first who provided us with actionable security information which helped us fix a particular vulnerability.