The timeline and details around the reporting of a security issue with ProEvents...
On February 1st, 2016 a security researcher contacted a community leader in IRC about a serious security concern in ProEvents. That concern was forwarded via email by the community member to the add-on developer. No one on the core team or at email@example.com was notified. Unfortunately the add-on developer missed that email and the issue was not addressed. There was no explicit policy on what to do for 3rd party security issues on our security page, which was clearly a huge oversight on our part.
On April 11th a public forum thread was started by the same security researcher on concrete5.org asking about the correct process for reporting security vulnerabilities on 3rd party add-ons.
On April 12th the forum discussion and subsequent IRC chat resulted in the content at https://www.concrete5.org/developers/security being updated to detail explicit directions on what to do about add-on and theme security issues. The core team was made aware of the details of this specific security issue at that point for the first time.
On April 13th the add-on had an updated version resolving the issue, but no notification to customers had yet gone out and the add-on (now fixed) was still available for sale in the marketplace. Without notifying us, the security researcher published details of their exploit to their own public blog at this point.
On April 14th we stopped new sales of all of the add-ons from the developer, verified the issue was actually resolved in this particular add-on, patched our enterprise support clients who were using it, and we notified customers who have purchased the add-on that they should update both the core CMS and the add-on immediately.
If you have ProEvents installed on a version 6 legacy or version 7 concrete5 site, you should immediately:
- Upgrade concrete5 itself so you’re running the latest stable legacy or version 7 copy.
- Update ProEvents from your dashboard.
- If you can’t update from your dashboard for some reason, email firstname.lastname@example.org for patch information.
Currently we are working with the developer to make sure there are no similar issues in other add-ons in their offerings..
Thank you to the researcher for reporting the issue in the first place, good eyes! Additionally, we agree - it absolutely should be 100% clear on where to report add-on/theme security related issues and it clearly wasn’t at the time. That’s our fault.
We take security very seriously here, and there was clearly a communication breakdown on this. Building a vulnerabilities reporting system into the marketplace for every individual add-on/theme has been suggested, but feels impractical at best. Instead we’re working on extending our policy on HackerOne.com/concrete5 to include add-on/theme related issues, as well as community site issues at concrete5.org.
HackerOne gives us a wonderful communication tool where open discussion can be securely shared between us and researchers, with a mutually agreed schedule for a safe disclosure after we’ve had a chance to roll out a resolution.
We can’t (and don’t) promise that add-ons and themes in the marketplace will be 100% secure. The Peer Review Board (PRB) performs both automated tests and a manual review of new submissions, but they’re human and they also don’t check subsequent updates. What we can promise is that if you’re making an effort to let us know about an important vulnerability, we’re going to make every effort to be very responsive to your concerns.
If you find yourself in the middle of any security related knowledge, we want to know. It’s important to us. Don’t make any assumptions. If you’re not clear on what to do at this point, just make sure to email us at email@example.com - we will always track on these issues and certainly when/if there are serious issues like this one, we’re going to get involved quickly.
A Huge Thank You!
Thank you to our security team for their swift resolution of this issue. We would like to recognize your incredible dedication and support! We appreciate everything you do to make concrete5 successful. Contributors like you are worth their weight in gold.
Special thanks to:
EC-Joe : Man you’re bright and always there!
Chad : Kudos for dropping everything and getting this resolved today
EC-Chris, Mnkras, mrkdilkington, JohnTheFish, everyone who got involved in that forum thread and everyone hanging out in Slack on #securityAnd particularly to JFolkins… You’re super clever with code man! My personal apologies to you for not having a policy in place for reporting these issues.
4/20/16 Update: ProEvents for concrete5 version 7 has been reactivated in the marketplace. So has ProBlog for version 7 which did NOT have any security issues reported to us nor did it have any we could find on review.