Actions

Security: Difference between revisions

From Mahara Wiki

No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible.
==Introduction==


Mahara does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the [[Contributors#Security_researchers|Security researchers]] section of our contributors page as a thank you.
Security is very important to the Mahara project team. As potential issues are reported to us, we will test, patch if necessary, and release fixes as quickly as possible to the Mahara software for organisations to patch their instances.


= Security announcements =
The Mahara team does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the [[Contributors#Security_researchers|Security researchers]] section of our contributors page as a thank you if issues are reported to us first via a responsible disclosure.


You can see the previous security issues on our [https://bugs.launchpad.net/mahara/+cve bug tracker] or subscribe to security announcements from [https://mahara.org/interaction/forum/view.php?id=43 this forum] via email or [https://mahara.org/interaction/forum/atom.php?type=f&id=43 RSS].
In particular, we appreciate reports that concern the Mahara software. While potential security issues concerning the Mahara infrastructure and supporting tools can be reported, we rely on the security improvements made by the projects who support and package these tools. For example, if you come across security issues in the wiki that is based on MediaWiki, you may wish to report the issue to the MediaWiki project.


= How to test Mahara for security issues =
==Security announcements==


We do not approve test accounts on mahara.org that are created for the purpose of finding security or other issues.
[https://mahara.org/interaction/forum/view.php?id=43 Security announcements] for issues in the Mahara software are made in separately to allow community members to subscribe to them and see them easily.


Please [[Developer_Area/Developer_Environment | install a local copy of Mahara]] using the latest code from the [https://git.mahara.org/mahara/mahara Git repository] on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.
==How do you test Mahara for security issues?==


= How to report a security issue? =
We do not approve test accounts on mahara.org and other project infrastructure maintained by the Mahara project team that are created for the purpose of finding security or other issues.


For the Mahara team to investigate security reports, the following information is required from the reporter:
Please [[Developer_Area/Developer_Environment |install a local copy of Mahara]] using the [https://mahara.org/download latest code] on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.


* Description of the security issue including the possible impact if the issue is exploited;
== How do you report a security issue? ==
* The severity of the security issue. We recommend determining the [https://www.first.org/cvss/calculator/3.0 CVSS vector string and score];
You can report security bugs in two different ways:
* Full steps required to allow the project team to verify the security issue;
* Information about how to exploit the security issue;
* Where is the security issue? What hosts or web pages are affected?
* Is the security issue in the Mahara application (which version?) or in the Mahara project infrastructure?


We also ask that you verify that security issues found by automated tools are not false positives. For example, reports of 'possible sensitive information in source code' are unlikely to apply to JavaScript files intentionally downloaded by a web browser and stored in our public source code repository.
#'''Preferred''': Send an email to [mailto:[email protected] [email protected]]. You will receive an automatic reply acknowledging receipt of your report. We do not include your original message.
#In our [https://bugs.launchpad.net/mahara/+filebug bug tracker]: If you think (or know) you have found a security bug, please '''make sure you click 'This bug is a security vulnerability'''' under the 'This bug contains information that is' on the bug tracker form.


If you want to report a TLS configuration issue, we expect to have an A or A+ rating on [https://ssllabs.com/ SSLLabs]. We will only take reports into consideration where our rating would drop below A when caused by TLS configuration issues.
Before reporting any potential issues, please verify that


Please note that the Mahara team can only request a CVE for security issues in the Mahara application itself. Also, the Mahara project is unable to request CWE numbers for security issues.
* your report is not covered on our '[[Security/Responses to common security reports |Responses to common security reports]]' page.
* vulnerabilities with the infrastructure [[Contributors#Mahara_project_infrastructure |haven't already been reported]].  


You can report security bugs in two different ways:
We keep a [https://mahara.org/interaction/forum/view.php?id=43 register of all vulnerabilities that have been addressed in the Mahara codebase].


# In our [https://bugs.launchpad.net/mahara/+filebug bug tracker]: If you think (or know) you have found a security bug, please '''make sure you click "This bug is a security vulnerability"''' under the "This bug contains information that is" on the bug tracker form.
== What should you include in your report? ==
# You can send and email to [mailto:[email protected] [email protected]].
For the Mahara team to investigate security reports, please provide the following information:


You will receive a response from a Mahara team member acknowledging receipt of your email, typically within 1 or 2 New Zealand business days. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.
*Whether the issue affects the Mahara application (which version was tested?) or a part of the project infrastructure;
*Type of vulnerability and its impact and severity. We recommend determining the [https://www.first.org/cvss/calculator/3.0 CVSS vector string and score];
*Whether the vulnerability has already been published or shared with others;
*Description of the security issue;
*Step-by-step instructions or proof of concept to replicate the issue;
*Was personal information exposed? If so, what happened with it.


We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the [https://mahara.org/interaction/forum/view.php?id=43 official Mahara security advisory].
== What will we do? ==
Our team will investigate vulnerability reports and be in touch with you within 10 New Zealand business days either with follow-up questions or our assessment and next steps. We appreciate your patience. Some bugs take time to investigate and the process may involve a review of the codebase for similar problems.


If you report a security vulnerability which was not yet known to the project team, you will be [https://wiki.mahara.org/index.php/Contributors#Security_researchers acknowledged on our site] and also a resulting bug report. If appropriate, a CVE number is filed and you are credited with the discovery of the vulnerability. The Mahara project does not run a bug bounty and cannot compensate for time spent.
If you found a security vulnerability in the Mahara codebase that requires mitigation, we will request a CVE, credit you as reporter in the CVE and on our [[Contributors#Security researchers|security contributor page]] (if you like), and provide a timeline for fixing the problem through publishing a security release for all currently supported versions of Mahara. We aim to address security vulnerabilities as quickly as possible and make fixes available to the Mahara community, allowing organisations to patch their own installations of Mahara. We may prioritise the fixing of issues based on scope and severity of the vulnerability.


= Security in our development process =
We make security release announcements via our [https://mahara.org/interaction/forum/view.php?id=43 official Mahara security advisory forum].


Mahara developers are committed to achieving the highest standard of security. All commits to the Mahara git repository are reviewed by at least one developer who will enforce the guidelines found in [[Developer_Area/How_to_Review_Code]].
== What should you keep in mind? ==
We ask that you verify that security issues found by automated tools are not '''false positives'''. For example, reports of 'possible sensitive information in source code' are unlikely to apply to JavaScript files intentionally downloaded by a web browser and stored in our public source code repository.


Some of the developers are also members of the security team and follow [[Developer_Area/Security_Team|these guidelines]].
If you want to report a '''TLS configuration''' issue, we expect to have an A or A+ rating on [https://ssllabs.com/ SSLLabs]. We will only take reports into consideration where our rating would drop below A when caused by TLS configuration issues.


= Mahara Security Bug Bounty Program (ended)=
Please note that the Mahara team can only request a '''CVE''' for security issues in the Mahara application itself. The Mahara project is unable to request CWE numbers for security issues.


'''The Mahara Security Bug Bounty Program ended in ''October 2012'''''. Please see the [https://mahara.org/interaction/forum/topic.php?id=4923 announcement] for further information.
The Mahara project '''does not run a bug bounty''' and cannot compensate for time spent.


= Responses to common security reports =
==Security in our development process==


The Mahara project team receives reports of security vulnerabilities, particularly in the supporting project infrastructure, that after investigation we determine are not valid or do not need to be fixed.
Mahara developers are committed to achieving the highest standard of security. All commits to the Mahara git repository are reviewed by at least one developer who will enforce the guidelines found in [[Developer_Area/How_to_Review_Code|our code review guidelines]].


[[Security/Responses to common security reports | Common examples]]
Some of the developers are also members of the security team and follow [[Developer_Area/Security_Team|the security guidelines]].

Latest revision as of 15:15, 27 Haziran 2022

Introduction

Security is very important to the Mahara project team. As potential issues are reported to us, we will test, patch if necessary, and release fixes as quickly as possible to the Mahara software for organisations to patch their instances.

The Mahara team does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the Security researchers section of our contributors page as a thank you if issues are reported to us first via a responsible disclosure.

In particular, we appreciate reports that concern the Mahara software. While potential security issues concerning the Mahara infrastructure and supporting tools can be reported, we rely on the security improvements made by the projects who support and package these tools. For example, if you come across security issues in the wiki that is based on MediaWiki, you may wish to report the issue to the MediaWiki project.

Security announcements

Security announcements for issues in the Mahara software are made in separately to allow community members to subscribe to them and see them easily.

How do you test Mahara for security issues?

We do not approve test accounts on mahara.org and other project infrastructure maintained by the Mahara project team that are created for the purpose of finding security or other issues.

Please install a local copy of Mahara using the latest code on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.

How do you report a security issue?

You can report security bugs in two different ways:

  1. Preferred: Send an email to [email protected]. You will receive an automatic reply acknowledging receipt of your report. We do not include your original message.
  2. In our bug tracker: If you think (or know) you have found a security bug, please make sure you click 'This bug is a security vulnerability' under the 'This bug contains information that is' on the bug tracker form.

Before reporting any potential issues, please verify that

We keep a register of all vulnerabilities that have been addressed in the Mahara codebase.

What should you include in your report?

For the Mahara team to investigate security reports, please provide the following information:

  • Whether the issue affects the Mahara application (which version was tested?) or a part of the project infrastructure;
  • Type of vulnerability and its impact and severity. We recommend determining the CVSS vector string and score;
  • Whether the vulnerability has already been published or shared with others;
  • Description of the security issue;
  • Step-by-step instructions or proof of concept to replicate the issue;
  • Was personal information exposed? If so, what happened with it.

What will we do?

Our team will investigate vulnerability reports and be in touch with you within 10 New Zealand business days either with follow-up questions or our assessment and next steps. We appreciate your patience. Some bugs take time to investigate and the process may involve a review of the codebase for similar problems.

If you found a security vulnerability in the Mahara codebase that requires mitigation, we will request a CVE, credit you as reporter in the CVE and on our security contributor page (if you like), and provide a timeline for fixing the problem through publishing a security release for all currently supported versions of Mahara. We aim to address security vulnerabilities as quickly as possible and make fixes available to the Mahara community, allowing organisations to patch their own installations of Mahara. We may prioritise the fixing of issues based on scope and severity of the vulnerability.

We make security release announcements via our official Mahara security advisory forum.

What should you keep in mind?

We ask that you verify that security issues found by automated tools are not false positives. For example, reports of 'possible sensitive information in source code' are unlikely to apply to JavaScript files intentionally downloaded by a web browser and stored in our public source code repository.

If you want to report a TLS configuration issue, we expect to have an A or A+ rating on SSLLabs. We will only take reports into consideration where our rating would drop below A when caused by TLS configuration issues.

Please note that the Mahara team can only request a CVE for security issues in the Mahara application itself. The Mahara project is unable to request CWE numbers for security issues.

The Mahara project does not run a bug bounty and cannot compensate for time spent.

Security in our development process

Mahara developers are committed to achieving the highest standard of security. All commits to the Mahara git repository are reviewed by at least one developer who will enforce the guidelines found in our code review guidelines.

Some of the developers are also members of the security team and follow the security guidelines.