Goals of the Mautic Security Team
- Resolve reported security issues in a Security Advisory
- Provide documentation on how to write secure code
- Provide documentation on securing your Mautic instance
- Help the infrastructure team to keep the *.mautic.org infrastructure secure
Scope of the Mautic Security Team
The Mautic Security Team operates with a limited scope and only directly responds to issues with Mautic core, officially supported plugins and the *.mautic.org network of websites. The team does not directly handle potential vulnerabilities with third party plugins or individual Mautic instances.
How to report a potential security issue
If you discover or learn about a potential error, weakness, or threat that can compromise the security of Mautic and is covered by the Security Advisory Policy, we ask you to keep it confidential and submit your concern to the Mautic security team.
To make your report please submit it via GitHub as a private disclosure at https://github.com/mautic/mautic/security.
Do not post it in Github as a general issue or pull request, on the forums, or or discuss it in Slack.
Read more: How to report a security issue with Mautic
How are security issues resolved?
The Mautic Security Team are responsible for triaging incoming security issues relating to Mautic core and officially supported plugins, and for releasing fixes in a timely manner.
Read more: How are security issues triaged and resolved by the Mautic Security Team?
How are security fixes announced and released?
The Security Team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance.
The team may deem it necessary to make an out-of-sequence release, in which case at least two weeks’ notice will be provided to ensure that Mautic users are made aware of a security release being made on an unscheduled basis.
Read more: Security fix announcements and releases
What is a Security Advisory?
A security advisory is a public announcement managed by the Mautic Security Team which informs Mautic users about a reported security problem in Mautic core or an officially supported plugin and the steps Mautic users should take to address it. (Usually this involves updating to a new release of the code that fixes the security problem.)
Read more: Mautic Security Advisory Policy
What is the disclosure policy of the Mautic Security Team?
The security team follows a Coordinated Disclosure policy: we keep issues private until there is a fix. Public announcements are made when the threat has been addressed and a secure version is available.
When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with others.
How do I join the Mautic Security Team?
As membership in the team gives the individual access to potentially destructive information, membership is limited to people who have a proven track record in the Mautic community.
Team members are expected to work at least a few hours every month. Exceptions to that can be made for short periods to accommodate other priorities, but people who can't maintain some level of involvement will be asked to reconsider their membership on the team.
Read more: How do I join the Mautic Security Team?
Who are the Mautic Security Team members?
You can meet the Mautic Security Team on the page below.
Read more: Meet the Mautic Security Team
Resources and guidance from the Drupal, Joomla and Mozilla projects have been drawn from to create these documents and develop our processes/workflows.