Actions

Difference between revisions of "Security"

From Mahara Wiki

(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible.
+
= Introduction =
  
In the past, we had a security bug bounty program in place that rewarded researchers for finding security issues and disclosing them to us.
+
Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch if applicable, and release fixes as quickly as possible to the Mahara software.
 +
 
 +
Mahara does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the [[Contributors#Security_researchers|Security researchers]] section of our contributors page as a thank you.
 +
 
 +
In particular, we appreciate reports that concern the Mahara software. While potential security issues concerning the Mahara infrastructure and supporting tools can be reported, we rely on the security improvements made by the projects who support and package these tools. For example, if you come across security issues in the wiki that is based on MediaWiki, you may wish to report the issue to the MediaWiki project.
  
 
= Security announcements =
 
= Security announcements =
Line 7: Line 11:
 
You can see the previous security issues on our [https://bugs.launchpad.net/mahara/+cve bug tracker] or subscribe to security announcements from [https://mahara.org/interaction/forum/view.php?id=43 this forum] via email or [https://mahara.org/interaction/forum/atom.php?type=f&id=43 RSS].
 
You can see the previous security issues on our [https://bugs.launchpad.net/mahara/+cve bug tracker] or subscribe to security announcements from [https://mahara.org/interaction/forum/view.php?id=43 this forum] via email or [https://mahara.org/interaction/forum/atom.php?type=f&id=43 RSS].
  
= Mahara Security Bug Bounty Program (ended)=
+
= How to test Mahara for security issues =
  
'''The Mahara Security Bug Bounty Program ended in ''October 2012'''''. Please see the [https://mahara.org/interaction/forum/topic.php?id=4923 announcement] for further information.
+
We do not approve test accounts on mahara.org that are created for the purpose of finding security or other issues.
  
We still appreciate security bug reports and will list their reporters in the [[Contributors#Security_researchers|Security researchers]] section of our contributors page as a thank you.
+
Please [[Developer_Area/Developer_Environment | install a local copy of Mahara]] using the latest code from the [https://git.mahara.org/mahara/mahara Git repository] on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.
  
 
= How to report a security issue? =
 
= How to report a security issue? =
  
Please email security issues to security@mahara.org and provide as many details as you can about the environment (Mahara version, database version, plugins used, etc.).
+
Before reporting any potential issues, please verify that your report is not covered on our "[[Security/Responses to common security reports | Responses to common security reports]]" page and that vulnerabilities with the infrastructure [[Contributors#Mahara_project_infrastructure | haven't already been reported]]. We also keep a [https://mahara.org/interaction/forum/view.php?id=43 register of all vulnerabilities that have been addressed in the Mahara codebase].
 +
 
 +
For the Mahara team to investigate security reports, the following information is required from the reporter:
 +
 
 +
* Description of the security issue including the possible impact if the issue is exploited;
 +
* The severity of the security issue. We recommend determining the [https://www.first.org/cvss/calculator/3.0 CVSS vector string and score];
 +
* Full steps required to allow the project team to verify the security issue;
 +
* Information about how to exploit the security issue;
 +
* Where is the security issue? What hosts or web pages are affected?
 +
* Is the security issue in the Mahara application (which version?) or in the Mahara project infrastructure?
 +
 
 +
'''We also ask that you verify that security issues found by automated tools are not false positives.''' For example, reports of 'possible sensitive information in source code' are unlikely to apply to JavaScript files intentionally downloaded by a web browser and stored in our public source code repository.
 +
 
 +
If you want to report a TLS configuration issue, we expect to have an A or A+ rating on [https://ssllabs.com/ SSLLabs]. We will only take reports into consideration where our rating would drop below A when caused by TLS configuration issues.
 +
 
 +
Please note that the Mahara team can only request a CVE for security issues in the Mahara application itself. Also, the Mahara project is unable to request CWE numbers for security issues.
 +
 
 +
You can report security bugs in two different ways:
  
Alternatively, you can report security issues on our [https://bugs.launchpad.net/mahara/+filebug bug tracker] if you select the "Private security" option under "This bug contains information that is" when reporting your bug (which will hide the bug and mark it as private).
+
# In our [https://bugs.launchpad.net/mahara/+filebug bug tracker]: If you think (or know) you have found a security bug, please '''make sure you click "This bug is a security vulnerability"''' under the "This bug contains information that is" on the bug tracker form.
 +
# You can send and email to [mailto:[email protected] [email protected]].
  
You will receive a response from a developer acknowledging receipt of your email, typically '''within 1 or 2 business days'''. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.
+
You will receive a response from a Mahara team member acknowledging receipt of your email, typically within 1 or 2 New Zealand business days. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.
  
We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official [https://mahara.org/interaction/forum/view.php?id=43 Mahara security advisory].
+
We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the [https://mahara.org/interaction/forum/view.php?id=43 official Mahara security advisory].
  
When contacting us about a security vulnerability. Let us know whether you want to be listed as a security researcher at [https://wiki.mahara.org/index.php/Contributors#Security_Researchers], and if so, how you should be presented.
+
If you report a security vulnerability which was not yet known to the project team, you will be [https://wiki.mahara.org/index.php/Contributors#Security_researchers acknowledged on our site] and also a resulting bug report. If appropriate, a CVE number is filed and you are credited with the discovery of the vulnerability. The Mahara project does not run a bug bounty and cannot compensate for time spent.
  
 
= Security in our development process =
 
= Security in our development process =
Line 30: Line 52:
  
 
Some of the developers are also members of the security team and follow [[Developer_Area/Security_Team|these guidelines]].
 
Some of the developers are also members of the security team and follow [[Developer_Area/Security_Team|these guidelines]].
 +
 +
= Mahara Security Bug Bounty Program (ended)=
 +
 +
'''The Mahara Security Bug Bounty Program ended in ''October 2012'''''. Please see the [https://mahara.org/interaction/forum/topic.php?id=4923 announcement] for further information.

Revision as of 11:53, 9 July 2018

Introduction

Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch if applicable, and release fixes as quickly as possible to the Mahara software.

Mahara does not have a bug bounty program. We still appreciate security bug reports and will list their reporters in the Security researchers section of our contributors page as a thank you.

In particular, we appreciate reports that concern the Mahara software. While potential security issues concerning the Mahara infrastructure and supporting tools can be reported, we rely on the security improvements made by the projects who support and package these tools. For example, if you come across security issues in the wiki that is based on MediaWiki, you may wish to report the issue to the MediaWiki project.

Security announcements

You can see the previous security issues on our bug tracker or subscribe to security announcements from this forum via email or RSS.

How to test Mahara for security issues

We do not approve test accounts on mahara.org that are created for the purpose of finding security or other issues.

Please install a local copy of Mahara using the latest code from the Git repository on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.

How to report a security issue?

Before reporting any potential issues, please verify that your report is not covered on our " Responses to common security reports" page and that vulnerabilities with the infrastructure haven't already been reported. We also keep a register of all vulnerabilities that have been addressed in the Mahara codebase.

For the Mahara team to investigate security reports, the following information is required from the reporter:

  • Description of the security issue including the possible impact if the issue is exploited;
  • The severity of the security issue. We recommend determining the CVSS vector string and score;
  • Full steps required to allow the project team to verify the security issue;
  • Information about how to exploit the security issue;
  • Where is the security issue? What hosts or web pages are affected?
  • Is the security issue in the Mahara application (which version?) or in the Mahara project infrastructure?

We also ask that you verify that security issues found by automated tools are not false positives. For example, reports of 'possible sensitive information in source code' are unlikely to apply to JavaScript files intentionally downloaded by a web browser and stored in our public source code repository.

If you want to report a TLS configuration issue, we expect to have an A or A+ rating on SSLLabs. We will only take reports into consideration where our rating would drop below A when caused by TLS configuration issues.

Please note that the Mahara team can only request a CVE for security issues in the Mahara application itself. Also, the Mahara project is unable to request CWE numbers for security issues.

You can report security bugs in two different ways:

  1. In our bug tracker: If you think (or know) you have found a security bug, please make sure you click "This bug is a security vulnerability" under the "This bug contains information that is" on the bug tracker form.
  2. You can send and email to [email protected].

You will receive a response from a Mahara team member acknowledging receipt of your email, typically within 1 or 2 New Zealand business days. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.

We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official Mahara security advisory.

If you report a security vulnerability which was not yet known to the project team, you will be acknowledged on our site and also a resulting bug report. If appropriate, a CVE number is filed and you are credited with the discovery of the vulnerability. The Mahara project does not run a bug bounty and cannot compensate for time spent.

Security in our development process

Mahara developers are committed to achieving the highest standard of security. All commits to the Mahara git repository are reviewed by at least one developer who will enforce the guidelines found in Developer_Area/How_to_Review_Code.

Some of the developers are also members of the security team and follow these guidelines.

Mahara Security Bug Bounty Program (ended)

The Mahara Security Bug Bounty Program ended in October 2012. Please see the announcement for further information.