Moko Consulting

Open-source software for Joomla, Gitea, and web platforms. Home of MokoSuite, MokoGitea, and MokoCLI.

Tennessee
governance/security-reporting.-

Security Reporting

How to report security vulnerabilities in MokoConsulting projects.

Reporting a Vulnerability

Email: security@mokoconsulting.tech

Do NOT file public issues for security vulnerabilities. Use private email only.

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Affected version(s) and component(s)
  • Impact assessment (what an attacker could do)
  • Suggested fix (if you have one)

Response Timeline

Step Target
Acknowledgment 48 hours
Initial assessment 7 days
Fix development 30 days
Release and disclosure After fix is available

Severity Classification

Severity Description Response
Critical Remote code execution, SQL injection, auth bypass Fix within 48 hours, emergency release
High XSS, CSRF, privilege escalation Fix within 7 days
Medium Information disclosure, denial of service Fix in next minor release
Low Minor information leak, defense-in-depth Fix in next scheduled release

Coordinated Disclosure

  • We practice coordinated disclosure — vulnerabilities are disclosed publicly only after a fix is released
  • Reporter is credited in the security advisory (unless they prefer anonymity)
  • CVE identifiers requested for Critical and High severity vulnerabilities
  • Security advisories published on the affected repo's Releases page

Scope

This policy covers:

  • All MokoSuite Joomla extensions
  • MokoGitea
  • MCP servers
  • Infrastructure at *.mokoconsulting.tech

Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith
  • Do not access or modify other users' data
  • Report vulnerabilities through the process described above
  • Allow reasonable time for a fix before disclosure