PortlandLabs Inc is the creator and maintainer of the open source content management system Concrete CMS (also known as concrete5 or Concrete).

Scope

PortlandLabs manages the vulnerabilities in the Concrete core software, https://github.com/concrete5/concrete5. PortlandLabs creates and updates CVEs for fixed security vulnerabilities for version 8.5.4 and above.   

Concrete core vulnerabilities are listed on NIST so that the community can take action to harden their sites.

To help keep the web safe, we will not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are publicly available.


What is not in Scope

PortlandLabs does not commit to create CVEs for things outside the Concrete core or for things not considered to be vulnerabilities to the core. These include, but are not limited to:

  • Server configuration issues

  • Default Credentials

  • CSRF Logout

  • Self DoS capability

  • Vulnerabilities for Concrete (concrete5) marketplace products created by the open source community 

    • Concrete is open source. There are thousands of add-ons and themes for Concrete which are not managed by PortlandLabs. We do our best to report vulnerabilities to the author of a marketplace item but we currently do not create and manage CVEs for them.

  • 3d Party libraries. 

    • The 3d party libraries used in Concrete (jQuery, PHP, ADODB, TinyMCE, etc) have their own vulnerability management programs. Our release notes, however, will identify updates to external libraries made for security reasons that are included as part of Concrete core releases.


Patched Versions

Updates, including security updates, are only guaranteed to be included in the next version of the Concrete core. In order to ensure that your site is secure, it is important for you to keep your site on the latest version of Concrete. 

See concrete5 Core Releases. Release notes detail the security fixes that are made. Future releases will detail CVEs that are remediated in that release. 

We use the versioning scheme MAJOR.MINOR.PATCH

  • MAJOR- example: For version 8.0.0, the eight would be the Major number. (Verify functionality on a staging site prior to upgrading. Major changes to CMS.)

  • MINOR - example: For version 8.5.0, the five is the minor number (Strongly recommend that you follow best practice and verify functionality on a staging site)

  • PATCH - example: For version 8.5.2, the two is the patch number. Patches are created for both bug and security fixes. We do not differentiate between bug and security fixes by the versioning number.  (Best practice would be to verify functionality on a staging site or take a backup snapshot first.)

 

Want to Report a Security Vulnerability? 

Report Via HackerOne

Please report Concrete core vulnerabilities via HackerOne which provides automatic status updates. HackerOne provides a monitored method to report, track and communicate remediation for Concrete vulnerabilities. HackerOne is monitored by the PortlandLabs security team and selected Concrete experts. 

Currently not accepting reports for the community site - concrete5.org 

We are actively working to upgrade the concrete5.org site and request that you hold off reporting vulnerabilities for the community site at this time. Should you choose to submit a report for concrete5.org, we will acknowledge your submission, and we might take action, but please understand that no information updates will be provided. 

Avoid Duplicate Reporting

Check the NIST page where all CVEs related to the Concrete corebase are listed. If the vulnerability you are about to report already has a CVE, please help out the community by NOT submitting a duplicate. 

If a vulnerability has previously been reported, we will inform the new reporter that their submission is a duplicate and will request that it not be publicly disclosed.

Only the first submitter will be credited for the vulnerability discovery.

Respect Others

Please install a local copy of Concrete. It is open source! This will let you test Concrete without disrupting other users. Beating on our trial servers or concrete5.org will not be well-received.

See the Installation Guide to download Concrete 

Be Clear

We greatly appreciate the time you spent finding the issue. Please spend a couple extra minutes to spell out what you are able to exploit with it. We’re eager to build a web for the greater good; the more info you provide, the swifter the web can be a safer place! Special public acknowledgement will be provided to reporters who provide a fix at the time they report the issue.

Rule Acknowledgement required to Report

We receive many reports from security researchers who do not read these submission requirements. To prove that you've read and understood the rules outlined on this page, please include the word "crayons" somewhere in your report. If you do not, your report will be closed as invalid automatically by HackerOne.

Do Not Disclose

Please be responsible! We're here because we want to know vulnerabilities before the world does so we have a chance to provide a solution in a reasonable timeframe. We assume you want the same; hence, please report issues directly to us on HackerOne.

Vulnerabilities will not be disclosed until a fix is publicly available. 

Reporters are expected to follow the HackerOne General Terms and Finder Terms

Credit

We've got some limited swag and lots of honor for those who are the first to submit an issue related to the core software, but no cash. Generally we're sending out stickers, but occasionally a truly stellar report gets a t-shirt. 


What We Do 

Keeping You in the Loop

Since we deeply appreciate the contributions of the community to keeping concrete5 secure, we will acknowledge your security submission upon receipt. 

We will respond to clear, understandable, reports within 5 days on whether we deem your submission to be a unique vulnerability. 

We will apprise you once a CVE # is assigned. 

We will advise reporters when the issue they reported is fixed. Credit for reporting a vulnerability will be given in the release to the initial reporter. 


Vulnerability Management Process

All security issues brought to our attention are examined and treated using PortlandLabs FedRAMP and ISO 27001:2013 audited Vulnerability Management Process. 

Risk Ranking

CVSS 3.1 Base scoring is used by PortlandLabs to rank vulnerabilities to the Concrete core. PortlandLabs, as the founders of the Concrete CMS, has the ultimate authority to determine a vulnerability’s score. 

Note that vulnerabilities which require administrative access to the CMS in order to exploit them are given a lower priority since administrative access, by its very nature, allows privileged access. 

Remediation

We cannot promise absolute resolution on a fixed timeline for every issue. However, our intended remediation policy for vulnerabilities to the Concrete Core is as follows:

Critical: CVSS 3.1 Score 9-10  30 Days  

High: CVSS 3.1 Score 7.0-8.9  90 Days

CVE Management

PortlandLabs will ensure that CVE entry details are sent to MITRE and NIST within 24 hours of PortlandLabs publicly advising on a vulnerability.


IF YOU HAVE ANY DOUBTS or confusion as to where or how to report your security concern or issue, please email security@concrete5.org