Handling Vulnerability Reports is a part of the Application Life-Cycle, and the development team at Massively Modified takes all vulnerabilities very seriously.
If you like our software, please consider making a donation. Donations help greatly to maintain the Massively Modified network and continued support of our open source offerings:
Table of Contents
- Documentation Topics
- Vulnerability Reports
- Making Vulnerability Reports
- Become a Member (coming soon!)
- Contribute Code
- Test Code
- Adhere to Our Coding Standards
- Adhere to Our CSS Naming Conventions
- Make a Donation
Our Vulnerability Reporting process is very similar to Gitlab's. In fact, you could say its a fork.
To submit vulnerability reports, please email the Security Group. We will try to acknowledge receipt of said vulnerability by the next business day, and to also provide regular updates about our progress.
If you are curious about the status of your report feel free to email us again. If you wish to encrypt your disclosure email, like with gitlab - please email us to ask for our GPG Key.
Requests for Compensation
Please refrain from requesting compensation for reporting vulnerabilities. We will publicly acknowledge your responsible disclosure, if you request us to do so. We will also try to make the confidential issue public after the vulnerability is announced.
Indexing of Vulnerabilities
You are not allowed, and will not be able, to search for vulnerabilities on Gitlab.com. As our software is open source, you may download a copy of the source and test against that.
Making Vulnerability Reports
Submitting vulnerability reports is not complicated, but we do ask that certain information be submitted for a complete report that helps the development team to resolve the vulnerability as quickly as possible. This information includes, but is not limited to:
- What the vulnerability is
- The steps to reproduce the vulnerability
- What kind of impact an attacker can make if they were to exploit the vulnerability
Here's an example of such a report:
An flaw exists within the 'mod_headers' module which allows a remote attacker to inject arbitrary headers. This is done by placing a header in the trailer portion of data being sent using chunked transfer encoding.
The title of your report (i.e. the email Subject) should simply state that you've discovered a vulnerability in one of our products:
Product X is affected by a (or multiple) vulnerabilities.
When a vulnerability is discovered, we create a confidential issue to track it internally. Security patches will be pushed to private branches and eventually merged into a
security branch. Security issues that are not vulnerabilities can be seen on the projects' public issue tracker.
To view the license for the documentation provided by this wiki, please visit the Wiki Homepage