Responsible Disclosure Policy documentation for the dotCMS Content Management System

dotCMS Responsible Disclosure Policy 

dotCMS takes security very seriously and always aims to provide the most secure CMS platform that keeps customer content, data and systems safe.  At dotCMS, we investigate all received vulnerability reports and implement the best course of action in order to protect our customers, both cloud based and on premise. dotCMS believes that working with skilled security researchers can help identify weaknesses in any technology.  

If you are a security researcher and have discovered a security vulnerability in dotCMS products and services, we appreciate your help in disclosing it to us in a responsible manner.

Our Commitment

If you identify a verified vulnerability in compliance with dotCMS’s Responsible Disclosure Policy, the dotCMS security team commits to:

  • Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission);

  • Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together;

  • Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.;

  • Post a description on our security page when the fix is released, and credit / acknowledge your contribution;

  • Post a security advisory/CVE if required.

Reporting a potential security vulnerability:

  • Review existing security reports to see if the security vulnerability has already been reported.  The list of existing/known security issues can be found here:
    https://dotcms.com/docs/latest/known-security-issues
  • Please do not post a potential security issue on our github repo, as that is the same as disclosing it publically. Instead, privately share details of the suspected vulnerability with dotCMS by sending an email encrypted using gpp key to security@dotcms.com

  • If you require it, please send an email to security@dotcms.com  to request our gpg key.

  • Provide full details of the suspected vulnerability so the dotCMS security team may validate and reproduce the issue.

dotCMS does not permit some types of security research:

To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues as quickly as possible, but it is important to understand that dotCMS has both cloud and on premise customers, each of which might require different solutions in order to mitigate security issues. 

  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading any dotCMS service or operation.

While researching, the following conduct is expressly prohibited:

  • Performing actions that may negatively affect dotCMS and its users (e.g. Spam, Brute Force, Denial of Service…).

  • Accessing, or attempting to access, data or information that does not belong to you.

  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.

  • Conducting any kind of physical or electronic attack on dotCMS personnel, property, or system environments.

  • Social engineering any dotCMS service desk, employee, or contractor.

  • Violating any laws or breaching any agreements in order to discover vulnerabilities.

dotCMS would like to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture.

Changes 

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://dotcms.com/docs/latest

Contact

dotCMS is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@dotcms.com.

Responsibility 

It is the CTO’s responsibility to see this policy is enforced. 

Last updated: 2/8/2021