Mautic Security Team
Learn more about Mautic's Security Team, what kind of security issues Mautic responds to, who's on the team, and how to report an issue.
Goals of the Mautic Security Team
The Mautic Security Team are focused on:
- Resolving reported security issues
- Releasing and disclosing security fixes in an ethical and timely way
- Providing documentation on how to write secure code
- Providing documentation on how to secure your Mautic instance
- Helping the infrastructure team to keep the *.mautic.org infrastructure secure
Scope of the Mautic Security Team
The Mautic Security Team operates with a limited scope and only directly responds to issues with Mautic core, officially supported plugins and the *.mautic.org network of websites and resources. The team does not directly handle potential vulnerabilities with third party plugins or individual Mautic instances.
Mautic is a Certificate Naming Authority under MITRE, which means that the Security Team is responsible for issuing CVEs for anything in the Mautic namespace (Mautic itself, and officially supported plugins, themes and applications).
How to report a potential security issue
If you discover or learn about a potential error, weakness, or threat that can compromise the security of Mautic and is covered by the Security Advisory Policy, we ask you to keep it confidential and submit your concern to the Mautic security team.
To make your report please submit it via GitHub as a private disclosure at https://github.com/mautic/mautic/security.
Do not post it in Github as a general issue or pull request, on the forums, or or discuss it in Slack.
How are security issues resolved and released?
The Mautic Security Team are responsible for triaging incoming security issues relating to Mautic Core and the officially supported plugins, and for releasing fixes in a timely manner.
The Security Team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance.
The team may deem it necessary to make an out-of-sequence release, in which case at least two weeks’ notice will be provided to ensure that Mautic users are made aware of a security release being made on an unscheduled basis.
What is a Security Advisory?
A security advisory is a public announcement managed by the Mautic Security Team which informs Mautic users about a reported security problem in Mautic core or an officially supported plugin and the steps Mautic users should take to address it. (Usually this involves updating to a new release of the code that fixes the security problem.)
What is the disclosure policy of the Mautic Security Team?
The security team follows a Coordinated Disclosure policy: we keep issues private until there is a fix. Public announcements are made when the threat has been addressed and a secure version is available.
When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with others.
How do I join the Mautic Security Team?
As membership in the team gives the individual access to potentially destructive information, membership is limited to people who have a proven track record in the Mautic community.
Team members are expected to work at least a few hours every month. Exceptions to that can be made for short periods to accommodate other priorities, but people who can’t maintain some level of involvement will be asked to reconsider their membership on the team.
Who are the Mautic Security Team members?
You can meet the Mautic Security Team on the page below.
