Note: You are currently viewing documentation for Moodle 2.4. Up-to-date documentation for the latest stable version of Moodle may be available here: Moodle security procedures.

Moodle security procedures: Difference between revisions

From MoodleDocs
(Adding note about holding issues until release.)
(Moved to dev docs)
 
Line 1: Line 1:
{{Security}}
{{Moved to dev docs}}
<p class="note">'''Note''': This is a draft document.</p>
 
 
We treat  security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.
 
==Disclosure policy==
 
We practice ''responsible'' disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites time to upgrade or patch their installations. Please note it is considered irresponsible to publicly repost mailed security notices '''before''' they are published at moodle.org.
 
We ask that when reporting a security issue, you observe these same guidelines, and beyond communicating with the security team (led by Petr Škoda), do not share your knowledge of security issues with the public at large.
 
==How can I report a  security issue?==
 
Please "[http://tracker.moodle.org/secure/CreateIssue.jspa Create a new issue]" in the Moodle tracker describing the problem (and solution if possible) in detail. Make sure you set the security level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" are hidden from everyone apart from the security team and the person who reported the problem.
 
If you are not sure whether an issue is a security issue, you should still create a new issue in the tracker for review, using the security level "Could be a security issue".
 
Please do NOT post about security issues in the forums on moodle.org. This will cause the issue to be more widely known before a fix can be prepared.
 
==How we deal with a reported security issue==
 
# The security team reviews the issue and evaluates its potential impact on all supported versions of Moodle.
# The security team works with the issue reporter to resolve the problem, keeping details of the problem and its solution hidden until a release is made.
# New versions are created and tested.
# New packages are created and made available on download.moodle.org.
# Advisories are mailed to administrators of registered Moodle sites.
# A public announcement is made about the security issue in the [http://moodle.org/mod/forum/view.php?id=7128 Moodle security news forum].
 
[[de:Sicherheitsprozeduren]]

Latest revision as of 16:11, 24 June 2014

This development related page is now located in the Dev docs.

See the Moodle security procedures page in the Dev docs.