The Mautic Security Team operates with a limited scope and only directly responds to issues with Mautic core, officially supported plugins and the *.mautic.org network of websites. The team does not directly handle potential vulnerabilities with third party plugins or individual Mautic instances.
Check the Releases page to find which are the currently supported releases.
Starting with the release of Mautic 3.0, one minor version at a time receives security advisories, the most recent minor release.
For example, Mautic 4.1 will continue receiving security advisories until the release of Mautic 4.2, and 4.2 will receive security advisories until the release of 4.3.
Security advisories are only made for issues affecting stable releases in the supported major version branches. That means there will be no security advisories for development releases, alphas, betas or release candidates.
If you discover or learn about a potential error, weakness, or threat that can compromise the security of Mautic and is covered by the Security Advisory Policy, we ask you to keep it confidential and submit your concern to the Mautic security team.
To make your report please submit it as a private disclosure at https://github.com/mautic/mautic/security. You can also create a private fork to provide a fix, if you're able to do so. See the documentation from GitHub on privately reporting a security issue.
Do not post it in GitHub as an issue or a Pull Request, on the forums, or discuss it in Slack.
Read more: How to report a security issue with Mautic
The Mautic Security Team are responsible for triaging incoming security issues relating to Mautic core and officially supported plugins, and for releasing fixes in a timely manner.
Read more: How are security issues triaged and resolved by the Mautic Security Team?
The Security Team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance.
The team may deem it necessary to make an out-of-sequence release, in which case at least two weeks’ notice will be provided to ensure that Mautic users are made aware of a security release being made on an unscheduled basis.
Read more: Security fix announcements and releases
A security advisory is a public announcement managed by the Mautic Security Team which informs Mautic users about a reported security problem in Mautic core or an officially supported plugin and the steps Mautic users should take to address it. (Usually this involves updating to a new release of the code that fixes the security problem.)
Read more: Mautic Security Advisory Policy
The security team follows a Coordinated Disclosure policy: we keep issues private until there is a fix. Public announcements are made when the threat has been addressed and a secure version is available.
When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with others.
As membership in the team gives the individual access to potentially destructive information, membership is limited to people who have a proven track record in the Mautic community.
Team members are expected to work at least a few hours every month. Exceptions to that can be made for short periods to accommodate other priorities, but people who can't maintain some level of involvement will be asked to reconsider their membership on the team.
Read more: How do I join the Mautic Security Team?
You can meet the Mautic Security Team on the page below.
Read more: Meet the Mautic Security Team
Resources and guidance from the Drupal, Joomla and Mozilla projects have been drawn from to create these documents and develop our processes/workflows.
Always report the issue to the team and let them make the decision on whether to handle it in public or private.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。