If you discover a security vulnerability in of the addons in the Statamic Rad Pack, please review the following guidelines before submitting a report. We take security very seriously, and we do our best to resolve security issues as quickly as possible.
While working to identify potential security vulnerabilities, we ask that you:
- Privately share any issues that you discover with us via statamic.com/support as soon as possible.
- Give us a reasonable amount of time to address any reported issues before publicizing them.
- Only report issues that are in scope.
- Provide a quality report with precise explanations and concrete attack scenarios.
We are only interested in vulnerabilities that affect the addons themselves, tested against your own local installation of the software, running the latest version. Do not test against any Statamic sites that you don't own, including statamic.com or statamic.dev.
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Arbitrary Code Execution
- Privilege Escalation
- SQL Injection
- Session Hijacking
- XSS vectors or bugs that rely on an unlikely user interaction (i.e. a privileged user attacking themselves or their own site)
- Reports from automated tools or scanners
- Theoretical attacks without actual proof of exploitability
- Attacks that can be guarded against by following our security recommendations.
- Server configuration issues outside of Statamic’s control
- Denial of Service attacks
- Brute force attacks (e.g. on password or email address)
- Username or email address enumeration
- Social engineering of Statamic staff or users of Statamic installations
- Physical attacks against Statamic installations
- Attacks involving physical access to a user’s device, or involving a device or network that is already seriously compromised (e.g. man-in-the-middle attacks)
- Attacks that are the result of Statamic Core should be reported to the Statamic Core Team
- Disclosure of tools or libraries used by Statamic and/or their versions
- Issues that are the result of a user doing something silly (like sharing their password publicly)
- Missing security headers which do not lead directly to a vulnerability via proof of concept
- Vulnerabilities affecting users of outdated/unsupported browsers or platforms
- Vulnerabilities affecting outdated versions of Statamic
- Any behavior that is clearly documented.
- Issues discovered while scanning a site you don’t own without permission
- Missing CSRF tokens on forms (unless you have a proof of concept, many forms either don't need CSRF or are mitigated in other ways) and "logout" CSRF attacks
- Open redirects