ArchivesSpace is an open source application that depends on a large number of third party libraries and systems. While ArchivesSpace is developed using coding best practices and is routinely scanned for security issues, it is possible for ArchivesSpace or some components of ArchivesSpace to contain security vulnerabilities that would allow unexpected or dangerous behavior to be triggered. This policy explains how to report security issues.
Please email reports about any security-related issues you find to
archivesspacehome@lyrasis.org. Your email will be acknowledged as soon
as possible.
Please use a descriptive subject line for your report email. After the initial reply to your report, ArchivesSpace developers will keep you informed of the progress being made towards a fix. If you are able to patch the issue locally please consider contributing the code so that the larger community can benefit.
Please include the following information along in your report:
- Your name and affiliation (if any).
- A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings.
- An explanation of who can exploit this vulnerability and what they gain when doing so -- write an attack scenario, if you can. This will help us evaluate your report quickly, especially if the issue is complex.
- Whether this vulnerability is already public or known to third parties. If it is, please provide details.
- If the vulnerability was discovered by a specific scan or scanning tool, please include a copy of the report when possible.
Please note that when security issues are found, only the latest version of the application will be patched. Upgrade to the latest release of ArchivesSpace to ensure having all security updates.