PortlandLabs Inc is the creator and maintainer of the open source content management system Concrete CMS (also known as concrete5 or Concrete).

Scope

PortlandLabs manages the vulnerabilities in the Concrete core software, https://github.com/concrete5/concrete5. PortlandLabs creates and updates CVEs for fixed security vulnerabilities for supported versions of Concrete.

Concrete core vulnerabilities are listed on NIST so that the community can take action to harden their sites.

To help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.

---

What is not in Scope

PortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:

• Server or CMS configuration issues - we recommend that you check Concrete CMS Configuration Best Practices which contain some important configurations that may solve what you are about to report

• Default Credentials

• CSRF Logout

• Self DoS capability

• Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community

  • Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. You may report vulnerabilities for products listed in the Concrete Marketplace via this Concrete Core HackerOne and we will inform the independent developer. However, we do not create and manage CVEs for them.

• 3d Party libraries.

  • The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.

---

Patched Versions

Updates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete.

See Concrete Core Releases. Release notes detail the security fixes that are made. Recent releases mention CVEs that are remediated in that release.

We use the versioning scheme MAJOR.MINOR.PATCH

• MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)

• MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)

• PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number. (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)

Want to Report a Security Vulnerability?

Report Via HackerOne

Please report Concrete core and marketplace addon vulnerabilities via HackerOne which provides automatic status updates. Marketplace addon vulnerabilities will be closed as "informative" and the independent developer of the addon will be informed. HackerOne provides a monitored method to report, track and communicate remediation for Concrete Core vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. PortlandLabs can only accept reports in English.

Avoid Duplicate Reporting

Check the NIST page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate.

If a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.

Only the first submitter will be credited for the vulnerability discovery.

Respect Others

Please install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.

See the Installation Guide to download Concrete

Be Clear

We greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.

Rule Acknowledgement required to Report

We receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word "crayons" somewhere in your report. If you do not, your report will automatically flagged by HackerOne.

Do Not Disclose

Please be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.

Vulnerabilities will not be disclosed until a fix is publicly available.

Reporters are expected to follow the HackerOne General Terms and Finder Terms.

Credit

We've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt.

What We Do

Keeping You in the Loop

Since we deeply appreciate the contributions of the community to keep Concrete secure, we will acknowledge your security submission upon receipt.

We will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability.

We will apprise you once a CVE # is assigned.

We will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter.

Vulnerability Management Process

All security issues brought to our attention are examined and treated using PortlandLabs FedRAMP, ISO 27001:2013, and SOC 2 audited Vulnerability Management Process.

Risk Ranking

CVSS 3.1 Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score.

Note that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access.

Remediation

We cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:

Critical: CVSS 3.1 Score 9-10 30 Days

High: CVSS 3.1 Score 7.0-8.9 90 Days

CVE Management

Concrete CMS is a CVE Certificate Naming Authority (CNA) and hence publishes CVEs for active versions of Concrete CMS. We attempt to publish CVEs within 24 hours of PortlandLabs publicly advising on a vulnerability.

IF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email [email protected]