If you discover any security concerns with openEQUELLA or associated technology please let the security group know by sending an email to security@apereo.org, or through your commercial service partner. Please do not raise security issues on the public tracker.
Team members of the openEQUELLA Security Group will field the issues and open a Draft Advisory on GitHub as needed - https://github.com/openequella/openEQUELLA/security/advisories
The openEQUELLA Security Group will then review the issue and help determine next steps. The openEQUELLA Security Group team member that originally fielded the issue will then respond to the originator with the recommended path forward.
When deemed appropriate by the above review:
- An embargo date is chosen (when will the issue become public)
- A CVE issue is opened
- A fix is created (ideally on a private fork)
- On the embargo date:
- The fix is released
- The Advisory is published
- Notices are sent out on the equella-users and equella-dev mail lists.
The openEQUELLA Security Group is not responsible for fixing a given security issue. They are responsible to do the initial review, recommend a path forward, and guide the advisory to completion.
The openEQUELLA Security Group generally focuses on the latest release for security issues, as of August 12th, 2020, the focus would be on security issues in openEQUELLA 2020.1.3.