Security

The VuFind® project takes security seriously, and the code is written with security in mind. However, every application can have unanticipated security holes, and even a carefully-designed system can be insecure if configured incorrectly. This page collects security-related resources in one place.

See the Security for VuFind® Administrators page for step-by-step instructions on common security-related configuration needs as well as important best practice advice.

No vulnerabilities have been reported yet.

If you have discovered a security flaw in VuFind®, or if you have specific security-related concerns, please contact info@vufind.org to reach the Project Management Committee. The PMC will work with you to reach a satisfactory solution to your problem and make responsible disclosures to the community where necessary.

The vulnerability handling process is inspired by the Apache Software Foundation process, and it works like this:

• A vulnerability is reported to the Project Management Committee.
• The Project Management Committee (and relevant committers) work privately with the reporter to resolve the vulnerability.
• A new release is issued containing the fix to the vulnerability; fixes may also be backported to legacy release branches at the discretion of the development team.
• The vulnerability is announced to the project's public mailing lists and Slack community, and mitigation instructions are posted to this page.

• The results of a 2023 security audit were discussed as part of the 2023 VuFind® Summit. Recordings and associated documentation can be found on the page for the event.