MODX takes security seriously. The entire architecture of MODX Revolution was created with security as a top focus. Every input is filtered, and every database query using the API occurs via prepared statements which eliminates the possibility of SQL injection compromises. The Security Team rigorously and continuously audits MODX to make sure we’re up to date and patching any new issues that may arise.
Security Team Responsibilities
- Create and update MODX’s Security Standards document, for core code and Extra developers
- Review the MODX Core, testing security and issuing GitHub Pull Requests for possible security vulnerabilities, especially prior to releases
- Create Unit Tests for MODX that test against common security flaws
- Flagging insecure Extras reported by the community, contacting the author and issuing an advisory if the Extra is not fixed within an appropriate timeline
- Be aware and up to date about the latest PHP and database drivers (mysql/sqlsrv/etc) security issues
- Help write documentation and promote awareness about security amongst the MODX community
Submitting a Security Report
Reports should be reported via this form. This will automatically notify the Security Team and create an issue for it to be monitored and addressed.
Core Security Policy
MODX Security Team members are to share any security issues they may find immediately with the rest of the Security Team and the MODX Core Team. Public announcements are to be issued after a patch/hotfix release is made to address the issue - not before. Security issues should be kept within the Security Team until such a release is made to minimize collateral damage should such an issue be found, and not shared with the public at large. To summarize, if a security issue is found:
- Post the issue to the Security project in Redmine
- Review the issue and evaluate the scope with regards to all releases of MODX
- If is a valid issue, contact a MODX Core Team member regarding it
- Issue a patch or fix to fix the issue, either by post on the issue in Redmine, in the forums or a GitHub Pull Request
- Test and validate the fix to ensure it properly addresses the issue without creating new ones
- If applicable, develop a Unit Test to test against the security issue
- The MODX Core Team will issue a hotfix release for the security issue
- After the release, all necessary media channels will be notified regarding the security issue and the fix, and recommend an upgrade
Extras Security Policy
The MODX Security Team is not responsible for Extras for MODX, nor any security issues found within them. When a vulnerability is found in a MODX Extra, the Security Team will be notified and the author will be contacted regarding the issue. The author will be given a reasonable deadline by which to fix the issue. If the deadline is not met, the Extra will be removed from the official MODX Extras repository and a public advisory against the Extra will be released. Deadlines will be set by the Security Team in accordance with the severity of the issue. MODX or the Security Team will not audit or review Extras hosted on any non-official Provider.
Becoming a Security Team Member
You can become a Security Team member by filling out this form. Only members who have signed a CLA will be accepted to the team, for licensing reasons. Also, MODX reserves the right to limit or deny access to this team by merit and history with the project, to keep the team secure and reliable due to the nature of the information the team will handle. Applicants with a known history in the community and/or experience with MODX commits and/or security issues will have a much higher acceptance rate.
The Security Team audits and covers the following MODX versions:
- MODX Revolution 2.x
- MODX Evolution 1.x
The develop branch or feature branches of MODX on Git are not supported by the Security Team, due to the fluid nature of those branches. Once an official release branch is created, it becomes within the Security Team’s domain. Forks of MODX are not supported.
The Security Team is not responsible nor liable for Extras audited by the team. The security of those Extras lies on the developer of the Extra itself; the Security Team provides a non-liable service by auditing and improving the Extra.
Current Team Members
The current active members of the Security Team are:
- Everett Griffiths (everettg_99)
- Mikko Lammi (lammikko)
- Nick Crossland (ncrossland)
- Jason Coward (opengeek)
- Shaun McCormick (splittingred)
- Mike Schell (netprophet)