Skip to content

Reporting security issues in Ibexa products

The security of Ibexa software is a primary concern and is taken seriously.

For more information on security in Ibexa products, see Ibexa Security Policy.

No engineering team is perfect though, and if you do discover a security issue in one of our products we are very grateful for your help in reporting it to us privately, and refraining from public disclosure until we have found the solution and distributed it. Thank you!

Channels

  • If you're a customer or partner, please log in to your Service Portal at https://support.ibexa.co/, click "New Ticket", and report the issue as you would report a normal support request. Ibexa Product Support will respond, take care of the report, and keep you informed of the developments.
  • If you're not a customer or partner, please log in to the Ibexa JIRA issue tracker: https://issues.ibexa.co/. Create an account if you don't have one, it's free. Click the "Create" button in the top menu to create your report. For "Project", select "Ibexa IBX", or "eZ Publish / Platform", or "eZ Platform Enterprise Edition", depending on which product is affected by the bug. Important: Select "Security Level": "Security"! The engineering team will take care of your report.
  • It's also possible to report security issues by email to security@ibexa.co - this requires no account.

Verbosity

Please be verbose when reporting issues. The issue will be solved faster if you include:

  • A title describing the gist of the issue in one sentence
  • A description which includes the steps you take to produce the problem, what you expect the result to be, and what actually happens.
  • Make it clear why you consider it a security issue. If you know, also include its type of security issue (example: SQL injection, CSRF, Role/Policy failure), its nature (example: slowing/stopping a web site, leaking sensitive information, destroying data, privilege escalation), and how easy it is to exploit (example: Does it require editor login?).

Dialogue

The engineering team may need your help to clarify certain specifics, so please respond to such inquiries. We keep you updated about the progress on our end.

Responsible disclosure

Please give the engineering team time to produce and distribute a solution before you disclose the issue on other channels, if you plan to do so. Please discuss the specifics with the team.

Attribution

If you want, we can include your name and/or the name of your organisation, a link, and short description about you in the security notification we send out with the fix. Thank you!