MODX takes security seriously and appreciates the effort of the (security) community that help us find and fix security vulnerabilities. To help ensure the security and privacy of our users we encourage responsible disclosure of security vulnerabilities.
If you believe you have found a security vulnerability in MODX please let us now right away by submitting a Security Report.
MODX is not responsible for Extras for MODX, nor any security issues found within them. Report security bugs in MODX Extras to the person or team maintaining the Extra or Third Party Component.
Security Reports should be reported via the "Report a Security Issue" form or security@modx.com. This will automatically notify the Security Team and create an issue for it to be monitored and addressed.
Public announcements are to be issued after a patch/hotfix release is made to address the issue - not before. Security issues should be kept within the Security Team until such a release is made to minimize collateral damage should such an issue be found, and not shared with the public at large.