Security Policy

Brandon Kelly edited this page Feb 10, 2019 · 10 revisions

If you discover a security vulnerability in Craft CMS, please review the following guidelines before submitting a report. We take security very seriously, and we do our best to resolve security issues as quickly as possible.


While working to identify potential security vulnerabilities in Craft, we ask that you:

  • Privately share any issues that you discover with us via as soon as possible.
  • Give us a reasonable amount of time to address any reported issues before publicizing them.
  • Only report issues that are in scope.
  • Provide a quality report with precise explanations and concrete attack scenarios.


We are only interested in vulnerabilities that affect Craft CMS itself, tested against your own installation of the software. You can install a local copy of Craft by following these installation instructions. Do not test against any Craft installation that you don’t own, including

Qualifying Vulnerabilities

Non-Qualifying Vulnerabilities

  • Reports from automated tools or scanners
  • Theoretical attacks without actual proof of exploitability
  • Attacks that can be guarded against by following our security recommendations.
  • Server configuration issues outside of Craft’s control
  • Denial of Service attacks
  • Brute force attacks (e.g. on password or token hashes)
  • Username or email address enumeration
  • Social engineering of Pixel & Tonic staff or users of Craft installations
  • Physical attacks against Craft installations
  • Attacks involving physical access to a user’s device, or involving a device or network that is already seriously compromised (e.g. man-in-the-middle attacks)
  • Attacks that are the result of a 3rd party Craft plugin should be reported to the plugin’s author
  • Attacks that are the result of a 3rd party library should be reported to the library maintainers
  • Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves)
  • Disclosure of tools or libraries used by Craft and/or their versions
  • Issues that are the result of a user doing something silly (like sharing their password publicly)
  • Missing security headers which do not lead directly to a vulnerability via proof of concept
  • Vulnerabilities affecting users of outdated/unsupported browsers or platforms
  • Vulnerabilities affecting outdated versions of Craft
  • Any behavior that is clearly documented.
  • Issues discovered while scanning a site you don’t own without permission
  • The OPTIONS header
  • Missing CSRF tokens on forms (unless you have a proof of concept, many forms either don't need CSRF or are mitigated in other ways) and "logout" CSRF attacks
  • Open redirects


To show our appreciation for the work it can take to find and report a vulnerability, we’re happy to offer researchers a monetary reward.

Reward amounts vary depending upon the severity. Our minimum reward for a qualifying vulnerability report is $50 USD and we expect to pay $500+ USD for major vulnerabilities.

A report will qualify for a bounty if:

  • Our Guidelines have been followed in full.
  • The vulnerability was previously unknown to us, or your report provides more information or shows the vulnerability to be more extensive than we originally thought.
  • The vulnerability is non-trivial.
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.