Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5182cbd
commit f8dcb88
Showing
3 changed files
with
30 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,30 @@ | ||
--- | ||
name: 🔐 Support Question | ||
about: Having trouble with Bolt? -> http://bolt.cm/community. | ||
name: 🔐 Security Issue | ||
about: Discovered a Security Issue in Bolt? | ||
--- | ||
|
||
⚠️ PLEASE DON'T DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, SEE BELOW. | ||
|
||
If you have found a security issue in Bolt, please send the details to | ||
security@bolt.cm and don't disclose it publicly until we can provide a | ||
fix for it. | ||
security@bolt.cm and don't disclose it publicly until we can provide a fix for | ||
it. If you wish, we'll credit you for finding verified issues, when we release | ||
the patched version. | ||
|
||
A note on "Self XSS" | ||
-------------------- | ||
|
||
Bolt is a CMS, that allows users to edit content on a website. As such, | ||
all _authenticated users_ can: | ||
|
||
- Edit content, and (depending on the field types) insert HTML and CSS in that | ||
content, with a variety of allowed attributes. | ||
- Depending on the user level: Edit template files, and insert HTML, CSS and | ||
javascript in those. | ||
- Upload files to the site, which will become publicly available. In the | ||
default settings, this includes `.PDF` and `.SVG` files. | ||
|
||
We see these functionalities as _features_, and not as security issues. Please | ||
report the mentioned items only if they can be performed by non-authorized | ||
users, or other exploitable vulnerabilities. | ||
|
||
Thanks! |