Security policy

This page explains how we ensure that Magnolia is a secure platform for your project.

Magnolia is only as secure as your project implementation

There is no single certificate that would validate a web application as secure. Magnolia is a platform, which means security depends on the environment Magnolia is deployed in and on your project-specific implementation.

Only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that can perform the relevant attack, or the technical impact may not make any difference to your business. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise. Open Web Application Security Project (OWASP)

OWASP Top 10 security risks

OWASP Top 10 is "a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications." (

OWASP Top 10 and Magnolia

While there is no certificate that could certify the Magnolia platform as secure, OWASP Top 10 is a very reasonable checklist.

It is a good idea to always validate your project implementation against the current OWASP Top 10 list.

How to report vulnerabilities

If you find a security vulnerability in Magnolia, please report it privately in one of the following ways:

Our goal is to keep the vulnerability private. Issues in the SUPPORT project are private to Magnolia and the issue reporter.

How we react to vulnerability reports

  1. Magnolia evaluates whether the vulnerability is real or a case of misconfiguration. If real, we commit to provide a fix in 30 days.

  2. Magnolia creates separate Jira issues for the fix. These issues are visible to Magnolia only.

  3. When a fix is available, Magnolia informs the reporter through the same channel where the issue was reported and provides the fix.

  4. Magnolia makes the fix available to all users in the next maintenance release. We make a short statement about the fix in release notes but give no details since unpatched installations are vulnerable.

  5. Jira issues for the fix remain private for 90 days after the fix is released. This protects users by preventing anyone from exploiting the vulnerability.

How to learn about security fixes

Backporting of security fixes

All currently maintained Magnolia branches get security fixes backported if the branch is vulnerable. For example, if a vulnerability is reported for Magnolia 6.2, we backport the fix to Magnolia 5.7.

Maintenance releases for the current major version are available for the Community Edition as well as DX Core.

Maintenance releases for previous major versions of Magnolia are available to DX Core users only (those who have an active subscription to DX Core).

Related topics

DX Core



This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules
6.3 beta

Magnolia 6.3 beta

Magnolia 6.3 is in beta. We are updating docs based on development and feedback. Consider the 6.3 docs currently in a state of progress and not final.

We are working on some 6.3-beta known issues during this phase.