Skip to content

Security: tvatavuk/Dnn.Platform

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them. If you see suspected issues/security scan results please report them via the GitHub feature for reporting a security vulnerability.

All submitted information is viewed only by members of the DNN Security Task Force, and will not be discussed outside the Task Force without the permission of the person/company who reported the issue. Each confirmed issue is assigned a severity level (critical, moderate, or low) corresponding to its potential impact on the security of DNN installations.

  • Critical means the issue can be exploited by a remote attacker to gain access to DNN data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
  • Moderate means the issue can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
  • Low means the issue is very difficult to exploit or has a limited potential impact.

Once an issue has been resolved via a public release of DNN Platform the release notes on GitHub are updated to reflect that security bulletins exist for the release. Additionally the DNN Community Security Center is updated with the vulnerability details. We strongly suggest using the "Watch" option on GitHub for "Releases" at a minimum to receive notifications of updated DNN Platform Releases.

As a general policy, DNN Platform does not issue Hot Fix releases to prior versions of DNN Platform. If a remediation is possible via configuration it shall be noted as applicable in the posted bulletins.

There aren’t any published security advisories