We take security vulnerabilities in Rock RMS seriously. If you discover a security issue, please report it responsibly to info@sparkdevnetwork.org rather than opening a public issue.

When reporting a vulnerability, please provide:

• A clear description of the vulnerability
• Affected Rock versions (e.g., v15.0, v16.1)
• Steps to reproduce the issue
• Potential impact (privilege escalation, data exposure, denial of service, etc.)
• Any proof of concept code (optional but helpful)
• Your contact information

• 24-48 hours: You will receive acknowledgment of your report
• 5-7 business days: Initial assessment and next steps will be communicated
• Ongoing: We will update you on remediation progress

Once a vulnerability is confirmed:

1. We will work to develop and test a fix
2. A patch will be released as part of the next scheduled Rock release or as an emergency patch if severity warrants
3. We will notify our community through official Spark Development Network channels with the secured version of Rock they should be running

To protect the hundreds of churches running Rock RMS, we intentionally do not publish exploit details or technical specifics of confirmed vulnerabilities. Many Rock installations are self-hosted and not immediately updated, and broadcasting exploit details creates unnecessary risk for those organizations.

When a vulnerability is patched, we will proactively communicate to our community the importance of updating, the minimum secured version they should be running, and any urgency warranted by the severity of the issue.

Please do not:

• Publicly disclose the vulnerability before we have confirmed receipt and begun remediation
• Report the vulnerability through public GitHub issues, pull requests, or other public channels
• Share vulnerability details with third parties without our permission

Stay informed about Rock RMS security updates:

• Subscribe to Rock RMS release notes
• Follow Spark Development Network for announcements
• Check GitHub Security Advisories for published vulnerabilities

If you have questions about this policy or the disclosure process, contact info@sparkdevnetwork.org.

Thank you for helping keep Rock RMS secure.