Joomla Security Center
About the Joomla Security Strike Team PDF Print E-mail

Joomla Security Strike Team        

About The Name:

In wild land firefighting, the term "Strike Team" is used to describe a collection of similar resources, which used for a specific purpose (http://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it's a collection of developers and security experts tasked with improving and managing security for Joomla.

Goals

  1. Investigate and respond to reported core vulnerabilities.
  2. Execute code reviews prior to release to identify new vulnerabilities.
  3. Provide public presence regarding security issues.
  4. Help the community understand Joomla security.

Security Announcement Policy

  • Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
  • All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.

Public Responses Policy

Articles are written about Joomla all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.

  • The JSST will assess and address articles written about security issues.
    • If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue.
    • If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article.
  • The JSST will be available to answer questions/validate any Joomla security-related articles on the publisher's request.

Security Release Policy

  • Critical and high-level vulnerabilities trigger an immediate release cycle.
  • Moderate vulnerabilities may trigger a release cycle depending on the specific issue.
  • Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release.
  • All security releases will be accompanied by one (or more) appropriate security announcements.

Vulnerability Threat Levels

There are two main details that contribute to a vulnerabilities priority or "threat level":

Impact
  • Critical - "0-day" attacks, and attacks where site control is compromised (allows attacker to take control over site).
  • High - SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised.
  • Moderate - XSS attacks, write ACL violations (editing or creating of content where not allowed).
  • Low - read ACL violations (reading of content where not allowed).
Severity
  • Critical - VERY easy to perform. Relies on no outside information (TRUE 0-day attack).
  • High - Moderately easy to perform. May rely on readily available outside information.
  • Moderate - Not easy to perform. May rely on sensitive information.
  • Low - Difficult to perform. Relies on sensitive information or requires special circumstances to perform.

* NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.

Supported Versions

  • All currently developed and supported versions of Joomla will be actively monitored by the JSST.
  • Currently active versions include:
    • Joomla 1.0.x
    • Joomla 1.5.x

How to Help

  • If you find a possible vulnerability, report it to the JSST FIRST. You can contact the team via the contact form in the Security Center.
  • If you find a reported vulnerability (reported elsewhere), contact the JSST ASAP (include where you saw the report).
  • You can provide patches for any issues that you find (e-mail the team for more information on how to submit a patch).
  • Join the team! Due to the sensitive nature of the team, we restrict who joins. But if you think you'd be a good fit, contact the team via the contact form in the Security Center.