DotNetNuke takes the issue of security very seriously. We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them.
Reporting Security Issues
Please report suspected issues/security scan results using either of the two methods below:
Form: Report Security Issue
All information submitted is viewed only by members of the DotNetNuke Security Task Force, and will not be discussed outside the Task Force without the permission of the person/company who reported the issue.
Each confirmed issue is first assigned a severity level (Critical, Moderate, or Low) corresponding to its potential impact on the security of DotNetNuke installations.
- Critical—A security issue is rated critical if it can be exploited by a remote attacker to gain access to DotNetNuke data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
- Moderate—A security issue is rated moderate if it can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
- Low—A security issue is rated low if it is very difficult to exploit or has a limited potential impact.
The Security Task Force then issues a security bulletin via the DotNetNuke security blog, forum posts and, where judged necessary, email. The bulletin provides details about the issue, the DotNetNuke versions impacted, and suggested fixes or workarounds.
When DotNetNuke issues a new major release (e.g. moving from 6.x to 7.x) we "sunset" the previous release. This means that all future bug fix and enhancement work is only done on the latest release, i.e. the sunsetted release is effectively code frozen. However, we recognise that not everyone can move rapidly to a new major release, so if security issues are discovered that affect the sunsetted release we will create a maintenance release to address those specific security vulnerabilities. We will continue to provide this level of support for 1 year from the date of the latest major release. In the case of DotNetNuke 6.x and 7.0, the latter having been released on Nov 28th 2012, it means that 5.x releases will continue to be supported for security reasons until Nov 28th 2013.
The DotNetNuke security blog provides information on general security matters, as well as details on new issues, releases, and documentation. We recommend that you visit the blog regularly to keep up to date on the latest DotNetNuke security information.