Security

This page provides an overview of the security procedures followed by the Maintainers when handling security issues. For information on our security policy, see Decidim Security Policy.

  1. Security issues can be received by email or by the GitHub Security Advisories feature.

  2. We will open a GitHub Security Advisory with:

    1. an explanation of the issue, without giving much details about the vulnerability.

    2. the metadata necessary, such as affected releases and severity.

    3. we will not give a step by step explanation on how to exploit the vulnerability.

    4. internally, we leave the instructions for other Maintainers in the comments of the Security Advisory (so it is reproducible, both the bug and the fix when there is any).

  3. The issue will be handled privately (on a private fork) until a fix is ready.

  4. Once the fix is ready, we will open a PR to the develop branch with the fix.

  5. We will do the backports to the supported versions.

  6. We will release a new version with the fix.

  7. On the Release Notes of the versions with the fix, we will add a note about the vulnerability with a reference to the CVE or the GitHub Security Advisory ID if there is not any ID. See below the Template for the Release Notes.

  8. We will send a notification to the Decidim Devs Matrix chat room. We will not mention the vulnerability, just that there is a new version with a security fix. See below the Template for the Decidim Devs chat room message.

  9. We will wait the grace period (2 or 4 months depending on the severity) before disclosing the vulnerability.

  10. We will add a comment for other Maintainers to keep track of when the Security Advisory will be published. See below the Template for the Security Advisory messages.

  11. We will update the metadata of the Security Advisory with the versions that have this fix (the "Patched versions" in GitHub UI).

  12. We will add to the Internal Decidim calendar the date when the Security Advisory will be published.

  13. After the grace period, we will publish the Security Advisory.

  14. Once the Security Advisory is published, then the release note message is updated with the link to the published page.

Template for the Release Notes

## Security fixes

This release addresses several security issues, including the following:

* CVE-20XXX-XXX
* CVE-20XXX-XXX

The details regarding the security vulnerability will be published on XXX 2023, which is two months after the release date of this version. For more information, please refer to our [Security Policy](https://github.com/decidim/decidim/blob/develop/SECURITY.md).

We highly recommend updating to this version as soon as possible to ensure the security of your system.

Template for the Decidim Devs chat room message

Hi everyone! On behalf of the Decidim Maintainers Team, I would like to share the following message:

We want to inform you that there are new releases with some security vulnerabilities fixes, v0.XXX.XXX [0] and v0.XXX.XXX [1]. We strongly recommend that you plan to update your installations accordingly.

As per our Security policy [2], we will publish information about these vulnerabilities on XXX.

Regards,
XXX
(from the Decidim Maintainers Team)

[0] https://github.com/decidim/decidim/releases/tag/v0.XXX.XXX
[1] https://github.com/decidim/decidim/releases/tag/v0.XXX.XXX
[2] https://github.com/decidim/decidim/blob/develop/SECURITY.md

Template for the Security Advisory messages

Two versions with the fix have been published today: v0.XXX.XXX and v0.XXX.XXX.

This security vulnerability will be published on XXX according to our security policy.