How to report a security issue

If you discover or learn about a potential error, weakness, or threat that can compromise the security of Mautic and is covered by the Security Advisory Policy, we ask you to keep it confidential and submit your concern to the Mautic security team.

To make your report please send an e-mail to [email protected]

Do not post it in Github, the forums, or or discuss it in Slack.

The security team will investigate your report and then work with you and the Product Team to create a fix. If the fix is ready, we will create a release and announce the fix to a wide audience.

Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming. We aim to fix issues within 1 month, but we also need to balance that with the available time of our volunteer team and the need to release high quality fixes.

Do not disclose the vulnerability to anyone else before the advisory is issued.

If the vulnerability is not covered by the Security advisory policy, you can still report it via these channels, but it's also acceptable to post it directly to Github.

How to make a good security report

Provide a detailed report. Include as many of these items as possible:

  • Mautic version/s and/or plugin version affected by the issue.
  • Steps to reproduce the problem starting from a fresh install.
  • A proposed patch.
  • If sharing a vulnerability reported elsewhere, please include the source of this report.

Optional: you can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names and where appropriate an organisation. If you do not specify we will do our best to find that information. You can also request a pseudonym or having your name withheld.

The Mautic Security Team does not disclose proof-of-concept information to demonstrate vulnerabilities and reporters are encouraged to do the same.

Where a reporter feels strongly that proof-of-concept instructions should be published, they are encouraged to hold that information for an additional period of at least 4 weeks after the release of the patched version of the software.

What if the vulnerability affects a plugin that is not covered by the Security Advisory policy?

If you are absolutely sure that the plugin is not covered by the policy, you can report the issue in the Github issue queue of the plugin or follow their reporting process for security issues.

It is considered good form to copy in the [email protected] email list if possible when reporting issues with third party plugins so that the Security Team is aware, but the Mautic Security Team does not handle security advisories for plugins hosted elsewhere.