|
|
If a security issue is discovered in a CiviCRM extension, please contact the security team at security@civicrm.org. More information here: https://civicrm.org/security
|
|
|
|
|
|
This page is a draft document for how to handle various scenarios regarding security issues with extensions.
|
|
|
|
|
|
# Alerting users
|
|
|
|
|
|
* The Extension directory has a service that warns admins about available upgrades, but does not alert when the upgrade is a security upgrade.
|
|
|
* CiviCRM blog posts for important updates (same as for when CiviCRM core has a security announcement).
|
|
|
|
|
|
# Working with maintainers
|
|
|
|
|
|
* Contact maintainers privately, since Gitlab "private issues" are visible to anyone with "reporter" level.
|
|
|
* If the maintainer is not responsive, remove the extension from the directory (unpublish the node, or unpublish the releases?). |
|
|
\ No newline at end of file |