Reporting security issues¶
Normal bugs should be reported to the specific Invenio module’s GitHub repository. However, due to sensitive nature of security issues, we ask that you do not report in a public fashion. This will allow us to distribute a security patch before potential attackers look at the issue.
If you believe you’ve found a security issue in Invenio, please send a description of the issue to firstname.lastname@example.org. Mails sent to this email address is logged in our request tracking system where Invenio architects have access to them.
You will first receive an automated notification from the request tracking system. Afterwards an Invenio architect will acknowledge the receipt (normally within 1-2 working days).
Please see our Maintenance Policy. Note that only supported versions are guaranteed to receive security fixes, and we only investigate if a given issue is affecting any of the currently supported versions of Invenio.
Disclosure of security issues¶
We will notify 2-5 days in advance about an upcoming security release and the severity level of the issue. The notification will not disclose any information about the issue except the severity level, and the sole purpose of the notification is to aid organisations to ensure they have staff available to handle the issue.
The notifications are sent to:
Mailing list: email@example.com
In case the issue is particularly time-sensitive (e.g. known exploits in the wild) we may omit the advance notification.
If an issue reported to us is affecting another library/framework we may report the issue privately to the maintainers of the affected library/framework.
On the day of the disclosure we take the following steps:
Apply patches to the Invenio source code
Issue new releases of Invenio and the affected modules to PyPI and/or NPM.
Notify the chatroom and mailing list (see above).
Post an entry to the Invenio blog.
We classify security issues according to the following severity levels:
The severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at NIST NVD.
This security policy have drawn heavy inspiration from Django’s security policy.