Security policy¶
Reporting security issues¶
TL;DR
Alert us privately at info@inveniosoftware.org.
Normal bugs should be reported to the specific Invenio module's GitHub repository. However, due to sensitive nature of security issues, we ask that you do not report in a public fashion. This will allow us to distribute a security patch before potential attackers look at the issue.
If you believe you've found a security issue in Invenio, please send a description of the issue to info@inveniosoftware.org. Mails sent to this email address is logged in our request tracking system where Invenio architects have access to them.
You will first receive an automated notification from the request tracking system. Afterwards an Invenio architect will acknowledge the receipt (normally within 1-2 working days).
Supported versions¶
Please see our maintenance policy. Note that only supported versions are guaranteed to receive security fixes, and we only investigate if a given issue is affecting any of the currently supported versions of Invenio.
Disclosure of security issues¶
Advance notification¶
We will notify 2-5 days in advance about an upcoming security release and the severity level of the issue. The notification will not disclose any information about the issue except the severity level, and the sole purpose of the notification is to aid organisations to ensure they have staff available to handle the issue.
The notifications are sent to:
- Chatroom: https://discord.gg/8qatqBC
Time-sensitive issues
In case the issue is particularly time-sensitive (e.g. known exploits in the wild) we may omit the advance notification.
Upstream libraries/frameworks
If an issue reported to us is affecting another library/framework we may report the issue privately to the maintainers of the affected library/framework.
Public announcement¶
On the day of the disclosure we take the following steps:
- Apply patches to the Invenio source code
- Issue new releases of Invenio and the affected modules to PyPI and/or NPM.
- Notify the chatroom (see above).
- Post an entry to the Invenio blog.
Severity levels¶
We classify security issues according to the following severity levels:
- Critical
- High
- Moderate
- Low
The severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at NIST NVD.
Credit
This security policy have drawn heavy inspiration from Django's security policy.