Skip to content

Security: getgrav/grav

SECURITY.md

Security Policy

Supported Versions

We are focusing our security updates on the following versions

Version Supported
1.7.x
1.6.x
< 1.6

📌 Note on Security Severity

NOTE: Please use the following guidelines when selecting a Severity. Submitted advisories that are marked High or Critical that don't meet the guidelines below will be closed.

  • CRITICAL - no account required, can modify content, or run malicious code or nefarious activity without any access.
  • HIGH - publisher level account able to run malicious code or nefarious activity, or other high level security things.
  • MODERATE - admin level account able to run malicious code or do nefarious things. other moderate security things.
  • LOW - super admin level account able to run malicious code or do nefarious things. other minor security things.

⚠️ Versions

Versions with ⚠️ will be supported for security issues, however you won't be able to update to them, you will need to manually update through the direct-install command.

If you cannot update to the latest stable version available because, for example, your server does not meet the minimum PHP requirements, you can manually install a previous version by downloading the package from our Releases directory (https://github.com/getgrav/grav/releases).

📝 Reporting a Vulnerability

Please contact security@getgrav.org with a detailed explanation of the security issue found. If it appears to be a legitimate issues, please submit an advisory via GitHub Security: https://github.com/getgrav/grav/security/advisories

NOTE: Please do not use 3rd party security issue reporting services, we like to keep everything in the GitHub ecosystem for easier manageability.

🐛 Bug Bounties

We do greatly appreciate your efforts to improve Grav, but unfortunately because we are a small open source project, we do not have the resources to offer bounties for security issues found.

Learn more about advisories related to getgrav/grav in the GitHub Advisory Database