ExpressionEngine Docs

Bugs and Security Reports

Reporting Bugs

Note: If you have a security issue to report, please submit to our security and disclosure platform as described below. DO NOT open an issue on GitHub or post publicly. This helps keep end users secure while patches are being made.

Note: While current and legacy versions of ExpressionEngine receive security fixes, only current versions of ExpressionEngine will receive bug fixes. Please reference the Version Support page of the ExpressionEngine website for more information.

Found a bug in a current version of ExpressionEngine? Report it as an issue on our public GitHub repo. See the Contributing Guidelines.

Security Reporting Guidelines

We take security issues very seriously, and encourage responsible reporting with a high priority on making security fixes or patches available rapidly, prior to any public disclosure of the vulnerability. We find this is the best balance of giving security issues the attention they rightly deserve, and protecting end users and site visitors from malicious individuals and script kiddies.

All software has vulnerabilities, but when we work together with developers and researchers, we can all help make the Internet a safer and better place. We love to acknowledge researchers who make valid security reports and work with us, and while we do not have a bounty program, sometimes will donate software or swag for being classy.

If you have a security issue in a current or legacy version of ExpressionEngine to report, you can let us know at support@expressionengine.com or if you prefer at HackerOne.

What are Security Issues?

When we speak about security related bugs, we are most interested in:

Making Good Security Reports

We don’t have rigid guidelines for what a security bug report should include, as we want to minimize barriers—ultimately we just want to receive the information. That said, the best security reports not only describe the vulnerability, but include a proof of concept as well as how it might be exploited in a realistic situation. Bonus points for including your recommended solution.

On the converse, security reports that are merely the output of penetration testing software are generally not only unhelpful, but typically contain false-positives as the software cannot grasp the context or implications of a piece of code that checks off one of the items on the vendor’s preset list of vulnerabilities.

Since our team only speaks English all security reports must be made in English, and communication will be in that language.

Reporting and Disclosure

Once you have reported the security issue, a number of steps will be taken to assess and address the reported issue prior to disclosure.