This page explains how we ensure that Magnolia is a secure platform for your project.
There is no single certificate that would validate a web application as secure. Magnolia is a platform, which means security depends on the environment Magnolia is deployed in and on your project-specific implementation.
Only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack, or the technical impact may not make any difference to your business. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise. – Open Web Application Security Project (OWASP)
Magnolia evaluates whether the vulnerability is real or a case of misconfiguration. If real, we commit to provide a fix in 30 days.
Magnolia creates separate Jira issues for the fix. These issues are visible to Magnolia only.
When a fix is available, Magnolia informs the reporter through the same channel where the issue was reported and provides the fix.
Magnolia makes the fix available to all users in the next maintenance release. We make a short statement about the fix in release notes but give no details since unpatched installations are vulnerable.
Jira issues for the fix remain private for 90 days after the fix is released. This protects users by preventing anyone from exploiting the vulnerability.
All currently maintained Magnolia branches get security fixes backported if the branch is vulnerable. For example, if a vulnerability is reported for Magnolia 6.2, we backport the fix to Magnolia 5.7.
Maintenance releases for the current major version are available for the Community Edition as well as DX Core.
Maintenance releases for previous major versions of Magnolia are available to DX Core users only (those who have an active subscription to DX Core).