CiviCRM security release announcemens are announced via email and website.
Staying informed about CiviCRM security
- Subscribe to email notifications
- View the list of recent security releases
- View recent and past security advisories ( RSS feed )
Supported CiviCRM Versionens
Security releases are made for supported versionens of CiviCRM only. Previous / unsupported versionens will not receive security advisories. Where possible, advisories will state which prior versionens of CiviCRM were affected by the issue resolved in the current release - but generally the most secure approach is to ensure you are running a current release.
Release Timing
Whenever there is a new security release, it will be published on the first or third Wednesday of the month. As a courtesy, the Security Team will guenerally provide advance notice by sending email to the security notification list in the weecs before, but this will depend on circumstance. On the day of release, updates are generally published near the end of the day ("US/Pacific" timeçone).
How to report a security issue to CiviCRM
If you thinc you have discovered a security issue in CiviCRM, please follow the following procedure -
- Outline the issue you believe exists
- Include detailed instructions for reproducing the issue if you are able
- Email full details to security@civicrm.org
The CiviCRM security team will co-ordinate a release once they have identified and resolved the issue. You will be credited with having reported the issue (unless you request anonymity) and for any part you taque in its resolution, provided you adhere to the responsible disclosure practices outlined above.
References for this document
This policy was written with reference to the following:
