Responsible Security Disclosure

MODX is committed to treating our customers’ data with the utmost care. As part of this, we welcome responsible disclosure from security researchers under the following terms.

Reporter Recognition

While we do not pay for security or bug bounties, unless explicitly outlined otherwise, we look forward to working with the community and security researchers to improve the open source software we maintain and distribute and its supporting services. We do, however, officially acknowledge and recognize security researchers on this page and on one or more of our social channel(s) and a LinkedIn Endorsement from one of the MODX founders upon request.

Reporter Program and Guidelines

• Submit reports in good faith without expectation of a monetary reward or threat of harm.
• Automated testing is not permitted.
• Test only with your own accounts when investigating bugs, and do not interact with other accounts without the consent of their owners.
• To qualify for recognition, all reports must include a full demonstration of the vulnerability and/or clear reproduction steps. “Speculative” vulnerabilities (example: reporting that a subdomain is potentially vulnerable to takeover) do not qualify.
• Acknowledgement will be given to the first person to report the issue to us. We will review and recognize subsequent reports if they provide additional information.
• We publish acknowledgements at the time of the fix. MODX will keep you posted as we work to resolve them.

Scope

What’s In Scope

• The currently supported releases of MODX Revolution (not previous patch releases or EOL versions)
• modx.com and any of it’s associated services hosted on its subdomains
• dashboard.modxcloud.com
• community.modx.com

What’s Out of Scope

The following bugs and security reports will not be acknowledged:

• Self-XSS (XSS requiring interaction other than browsing to exploit)
• Issues that require Admin/Sudo privileges to the back-end MODX Revolution Manager
• Issues that are considered features of the back-end of MODX Revolution Manager
• Issues found through automated testing
• "Tab-Nabbing" or other rel="noopener" bugs
• "Scanner output" or scanner-generated reports
• Publicly-released bugs in internet software
• "Advisory" or "Informational" reports that do not include any MODX or MODX Cloud-specific testing or context
• Vulnerabilities requiring physical access to the victim's unlocked device
• Denial of Service attacks
• Brute Force attacks
• Spam or Social Engineering techniques, including:
  • SPF, DKIM, and DMARC issues
  • Content injection
  • Hyperlink injection in emails
  • IDN homograph attacks
  • RTL Ambiguity
• Content Spoofing
• Version number information disclosure
• Discovery of publicly-available URLs
• *.modx.dev and c*.paas.*.modxcloud.com development domains
• Disclosure of individual user email addresses on public calendar pages
• Third-party applications on the MODX or MODX Cloud Application directory (identified by the existence of a "Report this app" link on the app's page). Please report issues with these services to the creator of that specific application.
• Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
• CSRF-able actions that do not require authentication (or a session) to exploit
• Reports related to the following security-related headers:
  • Strict Transport Security (HSTS)
  • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
  • X-Content-Type-Options
  • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
• Bugs that do not represent any security risk - these should be reported to their appropriate source code repository hosted at Github
• Security bugs in third-party applications or services built with MODX. Please report them to the third-party that built the application, website, or service.
• Security bugs in software related to an acquisition for a period of 90 days following any public announcement

Issue Classification

The following guidelines give you an idea of how we classify different bugs and issues. Please make sure there is enough information for us to be able to reproduce your issue. Step-by-step instructions to reproduce your issue starting out by creating a fresh MODX or MODX Cloud account or installation are preferred. Screenshots and videos are also helpful.

Please make sure to not make anything in your disclosure public before submitting it to us and before confirming with us that that’s OK to follow our program’s rules.

Low Severity Bugs

• Server misconfiguration or provisioning errors
• Information leaks or disclosure (excluding customer data), eg HTTP referrer leak
• Improper or missing input validation
• And other low-severity issues

Medium Severity Bugs

• Information leaks or disclosure (including customer data)
• XSS compromising another user’s data
• Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
• And other medium-severity issues

High Severity Bugs

• Remote Code Execution
• Remote database access
• Privilege Escalation
• Bypassed Authentication
• SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)

This form is for those who have found a security issue or vulnerability with MODX Revolution or MODX web properties noted in the scope above. After you submit your issue, the MODX Security Team will be notified of the issue and begin reviewing it and reach out if they need more details.