The DHIS2 security team take security seriously. We are continuously improving our processes to minimize the risk to users and their data. If you discover what you believe to be a vulnerability in the application then we want to hear from you. Please follow the instructions below to ensure that your issue is properly attended to and that other users are not unnecessarily exposed to risk.
Reporting a vulnerability
- DO NOT report the issue on the public mailing lists
- DO NOT report the issue through the jira system
- DO report the issue by sending an email to the DHIS2 security team email@example.com
Your email should contain as much as possible of the following information:
DHIS2 version: DHIS2 build number: Description of the issue: Why do you consider it a security vulnerability: Steps to reproduce: Do you want to be accredited: YES/NO
What happens next?
A member of the security team will respond acknowledging your email, typically within 24 hours. An issue will then be created on a private section of our issue tracker, where the security team and developers will assess the severity of the report. They will contact you with their severity assessment and an estimate of how and when the vulnerability will be addressed. If you have indicated that you wish to be accredited, your contribution will be acknowledged in the next release.
The security team is committed to making a public disclosure of security issues in a responsible manner. This implies that an issue may be embargoed for some time while a fix or workaround is created. If you are involved in the administration of DHIS2 servers you are advised to join the DHIS2 system administrators group at https://groups.google.com/forum/#!forum/dhis2-system-administrators. From time to time security announcements will be made to this group prior to being made more widely available.
When a vulnerability is discovered and fixed, every effort is made to backport the fix but clearly it is not possible to provide continuous support for all versions. We aim to provide security support for at least the 3 most recent major released versions. Versions older than that might be vulnerable and we advise you keep your implementation up to date.
Who is the security team?
The security team is a multi-disciplinary team of the HISP project at the University of Oslo, including DHIS2 core developers.