Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

  • 4/7/2015
  • 6999 Views

Comments

6999 Views

Security

Last updated 4 months ago

Comments

Common

(Enter the content of this article below)

Advanced

 

DotNetNuke takes the issue of security very seriously. We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them.

Reporting Security Issues

Please report suspected issues/security scan results via https://github.com/dnnsoftware/Dnn.Platform/security/policy.

All information submitted is viewed only by members of the DotNetNuke Security Task Force, and will not be discussed outside the Task Force without the permission of the person/company who reported the issue.

You may also want to view the full list of known and resolved issues and their bulletins.

Bulletin Severity Levels

Each confirmed issue is first assigned a severity level (Critical, Moderate, or Low) corresponding to its potential impact on the security of DotNetNuke installations.

  • Critical—A security issue is rated critical if it can be exploited by a remote attacker to gain access to DotNetNuke data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
  • Moderate—A security issue is rated moderate if it can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
  • Low—A security issue is rated low if it is very difficult to exploit or has a limited potential impact.
    The Security Task Force then issues a security bulletin via the DotNetNuke security blog, forum posts and, where judged necessary, email. The bulletin provides details about the issue, the DotNetNuke versions impacted, and suggested fixes or workarounds.

Security Blog

The DotNetNuke security blog provides information on general security matters, as well as details on new issues, releases, and documentation. We recommend that you visit the blog regularly to keep up to date on the latest DotNetNuke security information. The blog can be read or added to your newsreader here

Sunsetted releases

When DotNetNuke issues a new major release (e.g. moving from 6.x to 7.x) we "sunset" the previous release. This means that all future bug fix and enhancement work is only done on the latest release, i.e. the sunsetted release is effectively code frozen. However, we recognise that not everyone can move rapidly to a new major release, so if security issues are discovered that affect the sunsetted release we will create a maintenance release to address those specific security vulnerabilities. We will continue to provide this level of support for 1 year from the date of the latest major release. In the case of DotNetNuke 6.x and 7.0, the latter having been released on Nov 28th 2012, it means that 6.x releases will continue to be supported for security reasons until Nov 28th 2013.

Contents
No sections defined
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out