This article will detail how to report and receive support for a DNN Security issue or vulnerability.
DNN makes every effort to quickly analyze reported security issues and to provide workarounds and releases that address those issues as required.
Reporting Security Issues
- To report potential security issues and questionable security scan results, please contact DNN by email at firstname.lastname@example.org.
- All submissions are viewed by members of the DNN Security Task Force only.
- Submissions are discussed outside the Task Force only if permitted by the individual or company that reported the issue.
- The Security Task Force publishes security bulletins in the DNN blog, in forum posts, and sometimes by email.
- Each bulletin includes details about the issue, the affected DNN versions, and suggested fixes or workarounds.
- Security bulletin notifications will no longer be sent out to DNN users.
If you would like to be updated on the latest security information, it is recommended to check the Release Notes and view the full list of known and resolved issues and their bulletins.
Each confirmed issue is assigned a severity level (Critical, Moderate, or Low) based on its potential impact on the security of DNN installations.
The security issue could be exploited by a remote attacker to gain access to DNN data or functionality. Security bulletins for all critical issues include a recommended workaround or a fix that must be applied as soon as possible.
The security issue could compromise data or functionality, only if another condition is met—e.g., if a specific module is installed or if a user in a specific role logs in. Security bulletins for moderate issues typically include recommended actions to resolve the issue.
The security issue is very difficult to exploit, or its potential impact is limited.
- Bug fixes and enhancements are applied only to the most recent major release.
- Previous releases are considered retired. Example: After version 9.0 was released, all 8.x versions were considered retired.
However, DNN continues to provide maintenance releases for retired versions that are affected by a newly discovered security issue, up to one year after the version is retired.
Example: 8.x versions were retired when 9.0 was released on 2016 December 9. If DNN becomes aware of a security issue that affects 8.x, a security maintenance release will still be published for 8.x until 2017 December 9.