Richtlinien zum Umgang mit Sicherheitsproblemen: Unterschied zwischen den Versionen

Wechseln zu: Navigation, Suche
(kein Unterschied)

Version vom 4. Mai 2012, 18:35 Uhr

Baustelle.png Diese Seite ist noch nicht vollständig übersetzt.

Wir nehmen Sicherheitsprobleme in Moodlesehr ernst. Auch wenn wir viel Zeit in das Entwickeln und Testen des Codes investieren, kann bei der Größe dieses Projekts niemals gänzlich ausgeschlossen werden, dass Sicherheitslücken auftreten.


We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites time to upgrade or patch their installations. Please note it is considered irresponsible to publicly repost mailed security notices before they are published at

We ask that when reporting a security issue, you observe these same guidelines, and beyond communicating with the security team (led by Petr Škoda), do not share your knowledge of security issues with the public at large.

How can I report a security issue?

Please "Create a new issue" in the Moodle tracker describing the problem (and solution if possible) in detail. Make sure you set the security level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" are hidden from everyone apart from the security team and the person who reported the problem.

If you are not sure whether an issue is a security issue, you should still create a new issue in the tracker for review. Please do NOT post in one of the forums on

How we deal with a reported security issue

  1. The security team reviews the issue and evaluates its potential impact on all supported versions of Moodle
  2. The security team works with the issue reporter to resolve the problem
  3. New versions are created and tested
  4. New packages are created and made available on
  5. Advisories are mailed to administrators of registered Moodle sites
  6. A public announcement is made about the security issue in the Moodle security news forum