Open-source software for Joomla, Gitea, and web platforms. Home of MokoSuite, MokoGitea, and MokoCLI.
Tennessee
governance/security-reporting.-
Security Reporting
How to report security vulnerabilities in MokoConsulting projects.
Reporting a Vulnerability
Email: security@mokoconsulting.tech
Do NOT file public issues for security vulnerabilities. Use private email only.
What to Include
- Description of the vulnerability
- Steps to reproduce
- Affected version(s) and component(s)
- Impact assessment (what an attacker could do)
- Suggested fix (if you have one)
Response Timeline
| Step | Target |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 7 days |
| Fix development | 30 days |
| Release and disclosure | After fix is available |
Severity Classification
| Severity | Description | Response |
|---|---|---|
| Critical | Remote code execution, SQL injection, auth bypass | Fix within 48 hours, emergency release |
| High | XSS, CSRF, privilege escalation | Fix within 7 days |
| Medium | Information disclosure, denial of service | Fix in next minor release |
| Low | Minor information leak, defense-in-depth | Fix in next scheduled release |
Coordinated Disclosure
- We practice coordinated disclosure — vulnerabilities are disclosed publicly only after a fix is released
- Reporter is credited in the security advisory (unless they prefer anonymity)
- CVE identifiers requested for Critical and High severity vulnerabilities
- Security advisories published on the affected repo's Releases page
Scope
This policy covers:
- All MokoSuite Joomla extensions
- MokoGitea
- MCP servers
- Infrastructure at *.mokoconsulting.tech
Safe Harbor
We will not pursue legal action against security researchers who:
- Act in good faith
- Do not access or modify other users' data
- Report vulnerabilities through the process described above
- Allow reasonable time for a fix before disclosure
Pages