The security of the dotCMS platform is of the utmost importance to dotCMS, to our user community and to our customers. dotCMS strives to ensure the security and integrity of all dotCMS installations and has processes in place to insure all security issues are promptly addressed and customer exposure is minimized.
It is important for developers and administrators to realize that dotCMS is a web development and content platform and not a shrink-wrapped solution. As a platform, is our job to provide modern tooling that allows responsible developers and administrators to deliver the most secure content managed site or content application available. dotCMS is primarily concerned, from a security standpoint, with security issues that arise from the dotCMS tooling itself, the admin console and related web services, rather than any specific web or content implementation built by third parties within the platform itself.
Fixes, Patches and Updates
The most secure dotCMS installation is always going to be the latest released version of the dotCMS platform. Each release is a culmination of many patches, bug fixes and improvements. While we will (for Enterprise Customers) provide security patches for older versions, we will always advise you to test against and run the latest codebase. Any security updates will be released to the community via a new version release and all security fixes will be placed in the source code and will be available to the community for analysis and generating security patches. dotCMS may choose to back-port security fixes to older versions based on Enterprise customer requests; such back-ported fixes will be made available to the community at large.
Please report any potential security issues by sending an email to security-at-dotcms.com. dotCMS maintains an up to date list of all known security issues. When reporting an issue, please specify what version of dotCMS is affected, how we can reproduce the issue and what browser or tool should be used to examine the issue. dotCMS will disclose all issues in a responsible manner - and we ask the same responsibility when reporting an issue. This means that before the technical details of an issue is made public, dotCMS should have a chance to analyze, reproduce and/or fix the reported security issue.
Triage & Priority
Once an issue has been reported, dotCMS will inspect the issue and attempt to reproduce the issue with the latest dotCMS version with the latest default data and starter implementations. Because dotCMS is a platform for content driven web development and web applications, many reported issues are actually issues with specific customer implementations running on top of dotCMS and not with dotCMS itself. If this is the case, the dotCMS security team will notify you that the reported issue is with a particular installation and not the core dotCMS codebase.
If the issue is deemed of general concern, dotCMS will 1) inform you, 2) create a new "known issue" on our site and 3) create a "fix issue" in GitHub, our bug tracker. We will then perform analysis on the issue and assign that issue a priority level/target fix version. There are three possible priorities a security issue can have:
- Low - Low priority generally includes denial of service or XSS (Cross site Scripting) type issues and do not compromise the underlying data or system. An issue will be marked as "low" if it requires user to authenticate ("trusted user") in the dotCMS admin tool before the issue can be reproduced. Additionally, low priority issues offer no chance for privilege escalation, arbitrary code execution or data loss. Generally these issues can be easily worked around through the use of external tools, firewalls, etc.
- Moderate - Moderate issues constitute a security threat to the underlying data or system running dotCMS. This can include security compromises or privilege escalation, though "Moderate" issues still require a user being authenticated ("trusted user") in the system.
- Critical - a critical issue that could allow for an issue that can be used to compromise dotCMS or the underlying server/system responsible for running the dotCMS. A critical issue can be executed by any user and does not require any specific user authentication ("non-trusted user").