Procedimientos de seguridad en Moodle
Nota: Pendiente de Traducir. ¡Anímese a traducir esta página!. ( y otras páginas pendientes)
Nosotros tratamos los incidentes de seguridad en Moodle con mucha seriedad. A pesar de que dedicamos mucho tiempo en diseñar nuestro código para evitar tales problemas, es inevitable que, con un proyecto de esta magnitud, ocasionalmente se descubran nuevas vulnerabilidades.
Política de divulgación de la información (disclosure policy)
We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites time to upgrade or patch their installations.
We ask that when reporting a security issue, you observe these same guidelines, and beyond communicating with the security team, do not share your knowledge of security issues with the public at large.
¿Cómo puedo yo reportar un incidente de seguridad?
Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the security level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" are hidden from everyone apart from the security team and the person who reported the problem. If you are not sure whether an issue is a security issue, you should still create a new issue in the tracker for review, using the security level "Could be a security issue".
If you are not able to create an issue on the Moodle Tracker, you may send an email to firstname.lastname@example.org, however this is less secure than using the Tracker.
Please do not post about security issues in the forums on moodle.org or elsewhere. This will cause the issue to be more widely known before a fix can be prepared.
Cómo manejamos nosotros un incidente de seguridad reportado
- The security team reviews the issue and evaluates its potential impact on all supported versions of Moodle.
- The security team works with the issue reporter to resolve the problem, following the Security issue development process and keeping details of the problem and its solution hidden until a release is made.
- New versions are created and tested.
- Meanwhile Moodle requests CVE identifiers for the security issue
- New packages are created and made available on download.moodle.org.
- Advisories are mailed to administrators of registered Moodle sites, giving a period of time when they can upgrade before the issue becomes public.
- A public announcement is made about the security issue in the Moodle security news forum.
- Open Source Software Security is notified about it