Difference between revisions of "Security"
From Mahara Wiki
(Created page with "Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible. We have a security bug bou…") |
|||
| (12 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible. | Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible. | ||
| − | + | Mahara does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the [[Contributors#Security_researchers|Security researchers]] section of our contributors page as a thank you. | |
= Security announcements = | = Security announcements = | ||
| Line 7: | Line 7: | ||
You can see the previous security issues on our [https://bugs.launchpad.net/mahara/+cve bug tracker] or subscribe to security announcements from [https://mahara.org/interaction/forum/view.php?id=43 this forum] via email or [https://mahara.org/interaction/forum/atom.php?type=f&id=43 RSS]. | You can see the previous security issues on our [https://bugs.launchpad.net/mahara/+cve bug tracker] or subscribe to security announcements from [https://mahara.org/interaction/forum/view.php?id=43 this forum] via email or [https://mahara.org/interaction/forum/atom.php?type=f&id=43 RSS]. | ||
| − | = Mahara | + | = How to test Mahara for security issues = |
| − | + | We do not approve test accounts on mahara.org that are created for the purpose of finding security or other issues. | |
| − | + | Please [[Developer_Area/Developer_Environment | install a local copy of Mahara]] using the latest code from the [https://git.mahara.org/mahara/mahara Git repository] on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
= How to report a security issue? = | = How to report a security issue? = | ||
| Line 24: | Line 17: | ||
Please email security issues to [email protected] and provide as many details as you can about the environment (Mahara version, database version, plugins used, etc.). | Please email security issues to [email protected] and provide as many details as you can about the environment (Mahara version, database version, plugins used, etc.). | ||
| − | Alternatively, you can report security issues on our [https://bugs.launchpad.net/mahara/+filebug bug tracker] if you select the "This bug is | + | Alternatively, you can report security issues on our [https://bugs.launchpad.net/mahara/+filebug bug tracker] if you select the "Private security" option under "This bug contains information that is" when reporting your bug (which will hide the bug and mark it as private). |
| − | You will receive a response from a developer acknowledging receipt of your email, typically '''within 1 or 2 business days'''. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter. | + | You will receive a response from a developer acknowledging receipt of your email, typically '''within 1 or 2 New Zealand business days'''. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter. |
We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official [https://mahara.org/interaction/forum/view.php?id=43 Mahara security advisory]. | We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official [https://mahara.org/interaction/forum/view.php?id=43 Mahara security advisory]. | ||
| + | |||
| + | When contacting us about a security vulnerability. Let us know whether you want to be listed as a security researcher at [https://wiki.mahara.org/index.php/Contributors#Security_Researchers], and if so, how you should be presented. | ||
= Security in our development process = | = Security in our development process = | ||
| Line 35: | Line 30: | ||
Some of the developers are also members of the security team and follow [[Developer_Area/Security_Team|these guidelines]]. | Some of the developers are also members of the security team and follow [[Developer_Area/Security_Team|these guidelines]]. | ||
| + | |||
| + | = Mahara Security Bug Bounty Program (ended)= | ||
| + | |||
| + | '''The Mahara Security Bug Bounty Program ended in ''October 2012'''''. Please see the [https://mahara.org/interaction/forum/topic.php?id=4923 announcement] for further information. | ||
Revision as of 16:01, 14 June 2017
Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible.
Mahara does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the Security researchers section of our contributors page as a thank you.
Security announcements
You can see the previous security issues on our bug tracker or subscribe to security announcements from this forum via email or RSS.
How to test Mahara for security issues
We do not approve test accounts on mahara.org that are created for the purpose of finding security or other issues.
Please install a local copy of Mahara using the latest code from the Git repository on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.
How to report a security issue?
Please email security issues to [email protected] and provide as many details as you can about the environment (Mahara version, database version, plugins used, etc.).
Alternatively, you can report security issues on our bug tracker if you select the "Private security" option under "This bug contains information that is" when reporting your bug (which will hide the bug and mark it as private).
You will receive a response from a developer acknowledging receipt of your email, typically within 1 or 2 New Zealand business days. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.
We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official Mahara security advisory.
When contacting us about a security vulnerability. Let us know whether you want to be listed as a security researcher at [1], and if so, how you should be presented.
Security in our development process
Mahara developers are committed to achieving the highest standard of security. All commits to the Mahara git repository are reviewed by at least one developer who will enforce the guidelines found in Developer_Area/How_to_Review_Code.
Some of the developers are also members of the security team and follow these guidelines.
Mahara Security Bug Bounty Program (ended)
The Mahara Security Bug Bounty Program ended in October 2012. Please see the announcement for further information.