Umbraco Sticker On Lock (1)

How to report a vulnerability in Umbraco

Step-by-step guide on how to report a security bug/vulnerability

For responsible disclosure of a possible security vulnerability in Umbraco CMS, Umbraco Cloud, Umbraco Forms or Courier, we'd like you to follow these guidelines.

This way we get all the information we need in order to take appropriate and timely action. Thus, we ask you to report it directly to us thus, not to report the vulnerability in any public forums (like GitHub) etc. to ensure that it does not get exploited in the wild. 

How to report a vulnerability

What we expect from you

In order for us to fix and handle the vulnerability appropriately, we need your help. We need you to:

  • Not tell anyone about the problem until we have fixed it. You will also not submit it as a CVE during this time.

  • Make sure to verify your claim of a security vulnerability by sharing a proof of concept
  • Reporting the results of an automated scan is usually not helpful. Please send us proof on how you think an attacker could exploit each of the scan results. 

What'll happen next?

We will acknowledge receipt of your vulnerability report ASAP, usually within 1 business day. If we take the security issue further, we'll send you regular updates about our progress. As an acknowledgement of your contribution, we offer to publicly acknowledge your disclosure. 

If your security vulnerability gets merged, we'll communicate about it along with a fix in a public security advisory on the Umbraco blog.

List of security contributors

We'd like to thank the contributors for their amazing efforts in making Umbraco safer, and we've therefore gathered a dedicated list of Umbraco security contributors​.

The people listed here, are all the first who provided us with actionable security information which helped us fix a particular vulnerability. 

List of security contributors

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advice, go ahead and ask on the community forums.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox