====== Security ======

The VuFind® project takes security seriously, and the code is written with security in mind. However, every application can have unanticipated security holes, and even a carefully-designed system can be insecure if configured incorrectly. This page collects security-related resources in one place.

===== Best Practices =====

See the [[administration:security|Security for VuFind® Administrators]] page for step-by-step instructions on common security-related configuration needs as well as important best practice advice.

===== Known Vulnerabilities =====

// No vulnerabilities have been reported yet. //

===== Reporting a Security Issue =====

If you have discovered a security flaw in VuFind®, or if you have specific security-related concerns, please contact info@vufind.org to reach the [[community:roles_and_responsibilities#project_management_committee|Project Management Committee]]. The PMC will work with you to reach a satisfactory solution to your problem and make responsible disclosures to the community where necessary.

===== Vulnerability Handling =====

The vulnerability handling process is inspired by the [[https://www.apache.org/security/|Apache Software Foundation process]], and it works like this:

  * A vulnerability is reported to the Project Management Committee.
  * The Project Management Committee (and relevant committers) work privately with the reporter to resolve the vulnerability.
  * A new release is issued containing the fix to the vulnerability; fixes may also be backported to legacy release branches at the discretion of the development team.
  * The vulnerability is announced to the project's public mailing lists and Slack community, and mitigation instructions are posted to this page.

===== Other Resources =====

  * The results of a 2023 security audit were discussed as part of the [[community:conferences:summit_2023|2023 VuFind® Summit]]. Recordings and associated documentation can be found on the [[community:conferences:summit_2023|page for the event]].