Resolving security issues
The Mautic Security Team are responsible for triaging incoming security issues relating to Mautic core and officially supported plugins, and for releasing fixes in a timely manner.
Basic security team workflow
The basic workflow that the Mautic Security Team follows is:
- Review the issue and evaluate the potential impact on all supported releases of Mautic.
- If it is indeed a valid problem, the security team mobilises the team to eliminate it.
- New versions are created, reviewed, and tested.
- New releases are created on Github.
- When an issue has been fixed, we use all available communication channels to inform users of steps that must be taken to protect themselves.
The Mautic Security Team aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. As such, we have established the following guidelines for responding to issue reports:
- Within 24 hours every report gets acknowledged.
- Within 7 days every report gets a further response stating either:
- the issue is closed (and why);
- the issue is still under investigation; if needed, additional information will be requested.
- Within 21 days every report must be resolved unless there are exceptional circumstances requiring additional time.
While these are our goals, and while we do our best to keep to this timeline sometimes it may take longer to bring an issue to the point where it’s ready for release.
Unless the threat level dictates otherwise, security patches will be rolled into the next security release, the middle month of each quarter.
Vulnerability threat levels
The security advisory risk level system is based on the NIST Common Misuse Scoring System (NIST IR 7864).
Security announcement and release process
Providing security requires more than simply posting a patch release. Hundreds of thousands of people rely on the Mautic Security Team to notify them of known vulnerabilities.
The Security Team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance.
The team may deem it necessary to make an out-of-sequence release, in which case at least two weeks’ notice will be provided to ensure that Mautic users are made aware of a security release being made on an unscheduled basis.
If you are concerned with the response time or the handling of a security issue, please send an email to [email protected]. You may publicly discuss the policy, but not the details of any non-disclosed issue.
There are past security announcements: Security announcements.
Disclosure policy
The security team follows a Coordinated Disclosure policy: we keep issues private until there is a fix.
Public announcements are made when the threat has been addressed and a secure version is available.
When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with others.
Which versions are supported?
Please check the Releases page for the currently supported versions.
Development branches and alpha, beta and release candidate releases are not intended for production use.
Upgrade if you are using an unsupported version of Mautic, or pay for Extended Long Term Support for versions after Mautic 4 which are out of security support – this gives you the opportunity to receive back-ported security fixes for up to two years after official security support ends.
Our security advisory policy has a detailed description of this process and which releases get advisories.
