This document describes the security policy for TCExam — a web-based, open-source Computer-Based Assessment (CBA) application.
Security fixes are applied only to the latest stable release on the main branch.
We strongly recommend always running the latest release and keeping the Composer dependencies up to date.
Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability — or suspect one — follow responsible disclosure:
- Email the maintainer directly at info@tecnick.com with the
subject line:
[SECURITY] TCExam – <brief description> - Include as much detail as possible (see What to Include below).
- You will receive an acknowledgement as soon as possible.
- We will work on a fix or mitigation as promptly as the complexity of the issue allows.
If you do not receive a timely response, please follow up by replying to the same email thread.
A high-quality report helps us triage and fix issues faster. Please provide:
- Description — a clear summary of the vulnerability and its potential impact.
- Affected component — which page, function, or feature is involved
(e.g.
admin/code/tce_edit_user.php, the OMR import, the PDF result token). - Steps to reproduce — a minimal, self-contained sequence of requests or a script that demonstrates the issue.
- Expected vs. actual behaviour — what you expected to happen and what actually happened.
- Environment — TCExam version (
VERSIONfile), PHP version, database engine, web server. - CVE / CWE reference (optional) — if you have already identified a relevant classification.
- Suggested fix (optional) — a patch or proposed mitigation if you have one.
TCExam is a self-hosted application that handles personal data, credentials and exam results. The deploying administrator is responsible for the security of the installation. We recommend:
- Complete and lock down the installer. Run
install/install.phponce, then delete the entireinstall/directory — it must not remain reachable on a production server. - Change the default credentials immediately. The shipped admin account is
admin/1234. Create a new level-10 administrator and remove the defaultadminuser as soon as possible. - Set a unique
K_RANDOM_SECURITY. The installer generates a per-install random secret; if you are migrating an old configuration, replace any placeholder or historical default with a fresh random value, e.g.php -r "echo bin2hex(random_bytes(32)), PHP_EOL;". The PDF result-access token fails closed while this secret is left unconfigured. - Restrict file and URL access. Keep the
K_FILE_ALLOWED_PATHS/K_FILE_ALLOWED_HOSTSallow-lists (inshared/config/tce_paths.php) as narrow as possible — they constrain thetc-lib-filesafe file/URL access used by OMR import and report delivery. - Serve over HTTPS and keep the secure-cookie and session settings enabled so credentials and session tokens are never sent in clear text.
- Apply the shipped access controls. Run on Apache +
mod_phpso the bundled.htaccessrules take effect, or replicate equivalent access restrictions on other web servers (especially forcache/,*/config/andadmin/backup/). - Set least-privilege file permissions for the web-server user (see
doc/UPGRADE.md for the recommended
chmod/chowncommands). - Keep dependencies up to date. Run
composer updateregularly and monitor advisories withcomposer audit. Pin versions in production withcomposer.lockand review changes on every update.
| Channel | Details |
|---|---|
| Security email | info@tecnick.com |
| Project website | https://tcexam.org |
| GitHub repository | https://github.com/tecnickcom/tcexam |