Template-Joomla/SECURITY.md

Security Policy

Purpose and Scope

This document defines the security vulnerability reporting, response, and disclosure policy for this Joomla Plugin template repository. It establishes the authoritative process for responsible disclosure, assessment, remediation, and communication of security issues.

Supported Versions

Security updates are provided for the following versions:

Version	Supported
01.x.x	✅
< 01.0	❌

Only the current major version receives security updates. Users should upgrade to the latest supported version to receive security patches.

Reporting a Vulnerability

Where to Report

DO NOT create public GitHub issues for security vulnerabilities.

Report security vulnerabilities privately to:

Email: security@mokoconsulting.tech

Subject Line: [SECURITY] MokoStandards-Template-Joomla-Plugin - Brief Description

What to Include

A complete vulnerability report should include:

1. Description: Clear explanation of the vulnerability
2. Impact: Potential security impact and severity assessment
3. Affected Versions: Which versions are vulnerable
4. Reproduction Steps: Detailed steps to reproduce the issue
5. Proof of Concept: Code, configuration, or demonstration (if applicable)
6. Suggested Fix: Proposed remediation (if known)
7. Disclosure Timeline: Your expectations for public disclosure

Response Timeline

• Initial Response: Within 3 business days
• Assessment Complete: Within 7 business days
• Fix Timeline: Depends on severity (see below)
• Disclosure: Coordinated with reporter

Severity Classification

Vulnerabilities are classified using the following severity levels:

Critical

• Remote code execution
• Authentication bypass
• Data breach or exposure of sensitive information
• Fix Timeline: 7 days

High

• Privilege escalation
• SQL injection or command injection
• Cross-site scripting (XSS) with significant impact
• Fix Timeline: 14 days

Medium

• Information disclosure (limited scope)
• Denial of service
• Security misconfigurations with moderate impact
• Fix Timeline: 30 days

Low

• Security best practice violations
• Minor information leaks
• Issues requiring user interaction or complex preconditions
• Fix Timeline: 60 days or next release

Remediation Process

1. Acknowledgment: Security team confirms receipt and begins investigation
2. Assessment: Vulnerability is validated, severity assigned, and impact analyzed
3. Development: Security patch is developed and tested
4. Review: Patch undergoes security review and validation
5. Release: Fixed version is released with security advisory
6. Disclosure: Public disclosure follows coordinated timeline

Security Advisories

Security advisories are published via:

• GitHub Security Advisories
• Release notes and CHANGELOG.md
• Email notification to project users (if mailing list is established)

Advisories include:

• CVE identifier (if applicable)
• Severity rating
• Affected versions
• Fixed versions
• Mitigation steps
• Attribution (with reporter consent)

Security Best Practices

For projects using this template:

Required Controls

• Enable GitHub security features (Dependabot, code scanning)
• Implement branch protection on main
• Require code review for all changes
• Enforce signed commits (recommended)
• Use secrets management (never commit credentials)
• Maintain security documentation
• Follow secure coding standards defined in MokoStandards

Joomla Plugin Security

• Follow Joomla security best practices
• Validate and sanitize all user input
• Use Joomla's database API to prevent SQL injection
• Properly escape output to prevent XSS
• Implement proper access control checks
• Use Joomla's session and authentication APIs
• Keep Joomla and dependencies up to date

CI/CD Security

• Validate all inputs
• Sanitize outputs
• Use least privilege access
• Pin dependencies with hash verification
• Scan for vulnerabilities in dependencies
• Audit third-party actions and tools

Automated Security Scanning

All repositories SHOULD implement:

CodeQL Analysis:

• Enabled for PHP and other supported languages
• Runs on: push to main, pull requests, weekly schedule
• Query sets: security-extended and security-and-quality
• Configuration: .github/workflows/codeql-analysis.yml

Dependabot Security Updates:

• Weekly scans for vulnerable dependencies
• Automated pull requests for security patches
• Configuration: .github/dependabot.yml

Secret Scanning:

• Enabled by default with push protection
• Prevents accidental credential commits

Dependency Management

• Keep dependencies up to date
• Monitor security advisories for dependencies
• Remove unused dependencies
• Audit new dependencies before adoption
• Document security-critical dependencies

Compliance and Governance

This security policy is aligned with MokoStandards. Deviations require documented justification.

Security policies are reviewed and updated at least annually or following significant security incidents.

Attribution and Recognition

We acknowledge and appreciate responsible disclosure. With your permission, we will:

• Credit you in security advisories
• List you in CHANGELOG.md for the fix release
• Recognize your contribution publicly (if desired)

Contact and Escalation

• Security Team: security@mokoconsulting.tech
• Primary Contact: hello@mokoconsulting.tech
• Escalation: For urgent matters requiring immediate attention, contact the maintainer directly via GitHub

Out of Scope

The following are explicitly out of scope:

• Issues in third-party dependencies (report directly to maintainers)
• Social engineering attacks
• Physical security issues
• Denial of service via resource exhaustion without amplification
• Issues requiring physical access to systems
• Theoretical vulnerabilities without proof of exploitability

---

Metadata

Field	Value
Document	Security Policy
Path	/SECURITY.md
Repository	https://github.com/mokoconsulting-tech/MokoStandards-Template-Joomla-Plugin
Owner	Moko Consulting
Scope	Security vulnerability handling
Status	Active
Effective	2026-01-16

Revision History

Date	Change Description	Author
2026-01-16	Initial creation for template repository	Moko Consulting