CiviCRM security release announcements are announced via email and website.
Staying informed about CiviCRM security
- Subscribe to email notification when a security release is published.
- View the list of recent security releases.
- View recent and past security advisories (RSS feed).
Supported CiviCRM Versions
Security releases are made for supported versions of CiviCRM only. Previous / unsupported versions will not receive security advisories. Where possible, advisories will state which prior versions of CiviCRM were affected by the issue resolved in the current release - but generally the most secure approach is to ensure you are running a current release.
Security release "windows" are the first and third Wednesday every month, PDT timezone. A release window does not necessarily mean that a release will actually be made on that date. A regular window allows site administrators to know in advance to reserve availability for security upgrades.
How to report a security issue to CiviCRM
If you think you have discovered a security issue in CiviCRM, please follow the following procedure -
- Outline the issue you believe exists
- Include detailed instructions for reproducing the issue if you are able
- Email full details to firstname.lastname@example.org
The CiviCRM security team will co-ordinate a release once they have identified and resolved the issue. You will be credited with having reported the issue (unless you request anonymity) and for any part you take in its resolution.
References for this document
This policy was written with reference to the following: