Security is very important to Mahara developers. As potential issues are reported to us, we will test, patch and release fixes as quickly as possible.
We have a security bug bounty program in place that will reward researchers for finding security issues and disclosing them to us.
Mahara Security Bug Bounty Program
The Mahara Security Bug Bounty Program is designed to encourage security research in Mahara and to reward those who help us create the safest ePortfolio platform.
The bounty for valid critical security bugs is US$ 500 cash reward. The bounty for non-critical security bugs is US$ 200. You will also be credited in our security advisory.
The bounty will be awarded for security bugs that meet the following criteria:
- Security bug must be original and previously unreported.
- Security bug is present in the most recent stable release (or release candidate) of Mahara.
- If two or more people report the same bug, the reward will be divided among them.
- Members of the Mahara security team are not eligible.
How to report a security issue?
Please email security issues to [email protected] and provide as many details as you can about the environment (Mahara version, database version, plugins used, etc.).
Alternatively, you can report security issues on our bug tracker if you select the "This bug is a security vulnerability" option when reporting your bug (which will hide the bug and mark it as private). If you report the bug publicly, we will be unable to offer you the bounty.
You will receive a response from a developer acknowledging receipt of your email, typically within 1 or 2 business days. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.
We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official Mahara security advisory.
Security in our development process
Mahara developers are committed to achieving the highest standard of security. All commits to the Mahara git repository are reviewed by at least one developer who will enforce the guidelines found in Developer_Area/How_to_Review_Code.
Some of the developers are also members of the security team and follow these guidelines.