Vulnerability reporting

So, you found a vulnerability in Enano?

The Enano project believes in and supports responsible disclosure and the "release early, release often" philosophy.

If you have found a security issue with Enano, please use the following procedure:

How to report a vulnerability

  1. Test the latest versions of both the current stable and unstable branches.
  2. If possible, pull the latest revision (both stable and unstable) from Mercurial, install it, and test both.
  3. Recommended: Encrypt your e-mail using Dan Fuhry's PGP key. The key ID is 0x40FD6D2E, and the public key is at: http://pgp.mit.edu/pks/lookup?op=get&search=0x6E715AF940FD6D2E.
  4. Send your vulnerability report to . Be as specific as possible in describing the vulnerability. Include an example exploit, if possible. Patches are even better, but not necessary.

Response policy

The Enano project will attempt to verify and release fixes for all reported vulnerabilities within 24 hours of acknowledgment. We ask that you wait 7 days to release exploit details, to give time for website owners to upgrade their installations. When committing security patches, the commit entry is always prefixed with "SECURITY: ", in all caps.

If a vulnerability exists in multiple versions of the same Enano branch, only the latest version will receive a patch-level (PL) release. However, in many cases it is possible to take the patch from Mercurial and apply it to previous versions.

Notification policy

All security updates are announced on our Twitter page and in the main project news feed on the front page of enanocms.org. It is also available as an RSS feed.

(show page tags)
Categories: (Uncategorized)