New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How secure is ImpressPages ? #667
Comments
Before major releases we go through bug bounty program. Which means we pay our money for everyone who founds a security issue. When everything is fixed, only then release is published. We always ask community and other developers to check from their perspective for possible security issue. If something is found we immediately release a fix. If website owners allow us to contact them, we send security notification through email. Is that good enough? Do you have any other suggestions? |
Seems a fair approach to me, but I'm not a security expert by any means so I can't judge whether that is sufficient or not ;-) However I do have some other suggestions that might improve the security of the product as well:
Therefore I also prefer many small incremental code updates that are easy to install rather than few large updates once in a year (or even less) that might be much more difficult to install, but as far as I can see this is already the case with IP 👍 |
Contributions are being reviewed. But we take no responsibility if there are bugs. New version of plugin / theme can be installed by going to the market and pressing Install. |
Of course I understand you aren't taking any responsibility if there are bugs in contributions, seems obvious to me, but I was referring specifically to possible security issues in contributions in which case you might simply reject the contributed plugin/theme until the issue is fixed. Regarding the plugins / themes, I understand they can be installed from the market place, but I would love to see the possibility to update them with a click of a button whenever that is required (e.g. important security update or bug fix). |
Good point. I've just updated that page. https://www.impresspages.org/plugin-update |
Thanks, I wasn't aware it was already possible. |
Better not install or use this, as it is no longer being maintained against any of the recent security exploits. |
@jult you are responding to a question that was asked more than 4 years ago now? With regards to Impresspages, can you share with the community the recent security exploits you are referring to? |
How secure is ImpressPages and more interestingly: what precautions are being taken to make IP as secure as possible ?
Are there any security audits performed ?
Is there a release strategy in place regarding security related fixes ?
I understand security is a complex matter but some indications would be very interesting.
According to this site there was only 1 vulnerability detected in the past, which is obviously a very good score, but if there aren't any audits or other security related tests, then that score probably doesn't tell us that much.
Also, there might be other vulnerabilities that were not included in this database.
E.g. I found this link as well, which refers to an exploit that was never included in the cvedetails database.
The text was updated successfully, but these errors were encountered: