DNN Security

Overview

DNN makes every effort to quickly analyze reported security issues and to provide workarounds and releases that address those issues as required.

 


Information

Reporting Security Issues

  • To report potential security issues and questionable security scan results, please contact DNN by email at security@dnnsoftware.com.
  • All submissions are viewed by members of the DNN Security Task Force only.
  • Submissions are discussed outside the Task Force only if permitted by the individual or company that reported the issue.

Severity Levels

Each confirmed issue is assigned a severity level (Critical, Moderate, or Low) based on its potential impact on the security of DNN installations.

  • Critical 
    The security issue could be exploited by a remote attacker to gain access to DNN data or functionality. Security bulletins for all critical issues include a recommended workaround or a fix that must be applied as soon as possible.

  • Moderate 
    The security issue could compromise data or functionality, only if another condition is met—e.g., if a specific module is installed or if a user in a specific role logs in. Security bulletins for moderate issues typically include recommended actions to resolve the issue.

  • Low 
    The security issue is very difficult to exploit, or its potential impact is limited. 

 

Security Bulletins

  • The Security Task Force publishes security bulletins in the DNN blog, in forum posts, and sometimes by email.
  • Each bulletin includes details about the issue, the affected DNN versions, and suggested fixes or workarounds.
  • Security bulletin notifications will no longer be sent out to DNN users.

 

If you would like to be updated on the latest security information, it is recommended to check the Release Notes and view the full list of known and resolved issues and their bulletins.

Security Support for Retired Versions

  • Bug fixes and enhancements are applied only to the most recent major release.
  • Previous releases are considered retired. Example: After version 9.0 was released, all 8.x versions were considered retired.

 

However, DNN continues to provide maintenance releases for retired versions that are affected by a newly discovered security issue, up to one year after the version is retired.

Example: 8.x versions were retired when 9.0 was released on 2016 December 9. If DNN becomes aware of a security issue that affects 8.x, a security maintenance release will still be published for 8.x until 2017 December 9.

Back to top

Comments

0 comments

Please sign in to leave a comment.