Skip to main content
ModPageSpeed 2.0 and mod_pagespeed 1.1 — Now available

Security

ModPageSpeed 2.0 processes untrusted content — HTML, CSS, JavaScript, and images from origin servers. We take this seriously.

Reporting vulnerabilities

If you've found a security vulnerability, please email security@modpagespeed.com with details. Do not open a public GitHub issue for security vulnerabilities.

What to include

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Affected versions, if known.
  • Your assessment of severity and impact.

Our commitment

Acknowledgement within 2 business days (CET). Triage within 5. Critical vulnerabilities affecting production deployments jump the queue.

Safe harbor

We will not pursue legal action against security researchers who act in good faith. Good faith means: you report the vulnerability to us before disclosing publicly, you don't access or modify other users' data, and you don't degrade the service for others.

Scope

This security policy covers the ModPageSpeed 2.0 software (the nginx module, the optimization worker, and the cache layer), the mod_pagespeed 1.1 ports (Apache, nginx, Envoy, IIS), and the modpagespeed.com website.

Security updates

Security fixes are announced via blog posts on this site. We recommend subscribing to the blog to receive notifications for all updates, including security patches.

Evidence

Security disclosure

Report vulnerabilities to security@we-amp.com. GPG key on request. See security.txt.

CVE history

We publish disclosures here when any issue warrants a CVE.

Dependency audits

We audit dependencies quarterly and when a CVSS ≥ 7.0 CVE is disclosed against a direct dependency.

SBOM

SBOM (CycloneDX format) publication is on our roadmap for Q3 2026. Enterprise customers can request a snapshot in the meantime via contact.

Architecture note

ModPageSpeed 2.0 processes untrusted content by design — it rewrites HTML, minifies CSS and JavaScript, and transcodes images from origins you configure. We take this attack surface seriously. The entire codebase runs with AddressSanitizer and UndefinedBehaviorSanitizer in CI, catching memory safety issues and undefined behavior before they reach production. The code is written in C++23 and follows modern memory management practices with smart pointers and RAII throughout.

Threat model

ModPageSpeed processes untrusted images, CSS, JS, and HTML from origin servers. The worker process communicates only via a local Unix socket — it has no network access beyond the cache file and socket. All content parsing uses memory-safe patterns validated by continuous sanitizer testing (ASan, UBSan, TSan). No user data is transmitted externally.

Supply chain

All dependencies are pinned with SHA-256 checksums in the build configuration. Builds are reproducible from a given commit.