We've just added a page detailing CiviCRM's security policy and release process.
This page is intended to help people identify how they can stay abreast of security updates, know when to expect them, and how to tell which release of CiviCRM to expect security fixes for.
If you maintain or operate a CiviCRM site (or sites!) then you this is a page you should be familiar with, and there are a few actions you should take -
- Make sure your team are subscribed to security notification updates.
- Put the newly announced security release window, first Wednesday of the month, in your schedule.
- Make sure your installed sites are running a supported release, so they qualify for security fixes!
The CiviCRM community are making ongoing efforts to improve CiviCRM's security and processes, and we hope this will help our users better understand, manage and organize security on their CiviCRM sites.