About Features Downloads Getting Started Documentation Events Support GitHub

Love VuFind®? Consider becoming a financial supporter. Your support helps build a better VuFind®!

Site Tools

Warning: This page has not been updated in over over a year and may be outdated or deprecated.


The VuFind® project takes security seriously, and the code is written with security in mind. However, every application can have unanticipated security holes, and even a carefully-designed system can be insecure if configured incorrectly. This page collects security-related resources in one place.

Best Practices

See the Security for VuFind® Administrators page for step-by-step instructions on common security-related configuration needs as well as important best practice advice.

Known Vulnerabilities

Reporting a Security Issue

If you have discovered a security flaw in VuFind®, or if you have specific security-related concerns, please contact info@vufind.org to reach the Project Management Committee. The PMC will work with you to reach a satisfactory solution to your problem and make responsible disclosures to the community where necessary.

Vulnerability Handling

The vulnerability handling process is inspired by the Apache Software Foundation process, and it works like this:

  • A vulnerability is reported to the Project Management Committee.
  • The Project Management Committee (and relevant committers) work privately with the reporter to resolve the vulnerability.
  • A new release is issued containing the fix to the vulnerability; fixes may also be backported to legacy release branches at the discretion of the development team.
  • The vulnerability is announced to the project's public mailing lists and Slack community, and mitigation instructions are posted to this page.

Other Resources

security.txt · Last modified: 2024/05/22 17:19 by demiankatz