Skip to content

Security: SimpleMachines/SMF

SECURITY.md

Security Policy

Supported Versions

Version Supported
3.0.x
2.1.x
2.0.x
1.x

Reporting a Vulnerability

To report a security issue use one of the following

(Preferred) Simple Machines Security Form

Security Form We prefer to receive security reports via our security form. Please include all relevant information in your report.

GitHub Security Advisory

Security Advisories in GitHub may be used

Email

You can email us using the standard security@ for our main website, (Simple Machines)[https://simplemachines.org].

The process

When we receive your report, it will be validated with our team. This includes testing the vulnerabilities. We don't require a Proof of Concept script/tool, but we do welcome them as they can improve the ability to validate the report and test against the patches.

Once validated, our team will work on patching. We offer to let the reporters receive the beta versions of the patch file that will go out; however, more minor vulnerabilities tend to be fixed in public repositories.

Due to our small team size and because we are all volunteers, we do not have timelines we can give beyond estimates. With a small team, it takes a bit of coordination to ensure we have enough members around to do the release process, have a backup person should something happen during the release process, and have additional members verify that everything is being updated on various pages.

Credits

We are open to giving credits to individuals or organizations for proper reporting and keeping the issue private until we have made the release. We will ask you after we validate this. We reserve the right to refuse or limit how we credit. We typically do not provide credits for publicly known vulnerabilities or if the information is released before we make the official release.

Bounties

As a donation and ad-supported project, we do not have the funds to pay for the bounties.

Continued reporting

We may offer beta tester access on our community forums to those who continue reporting. This provides you with the released beta patches, which may include patched security vulnerabilities not yet publicly visible in our git repository.

Thank you

Thank you to all those who helped us by scanning our repositories and reviewing our code. Your efforts go a long way to ensuring our community is receiving a secure product to use.

Learn more about advisories related to SimpleMachines/SMF in the GitHub Advisory Database