Skip to content

Security: GeoNode/geonode

SECURITY.md

Security Policy

Supported Versions

GeoNode versions supported with security updates.

Version Supported
5.1.x
5.0.x
< 5

This approach provides ample time for upgrading ensuring you are always working with a supported GeoNode release.

If your organization is making use of a GeoNode version that is no longer in use by the community all is not lost. You can volunteer on the developer list to make additional releases, or engage with one of our Commercial Support providers.

Reporting a Vulnerability

  1. DO NOT report vulnerabilities on the public mailing list or any other public channel

  2. There are two options to report a security vulnerability:

  3. There is no expected response time.

  4. Keep in mind participants are volunteering their time, an extensive fix may require fundraising/resources.

Thanks for you support and help!

Coordinated vulnerability disclosure

Disclosure policy:

  1. The reported vulnerability has been verified by working with the GeoNode PSC
  2. GitHub security advisory is used to reserve a CVE number by the GeoNode Organization
  3. A fix or documentation clarification is accepted and backported to active branches
  4. A fix is included for the active branches release downloads (reelases, or issued via emergency update)
  5. The CVE vulnerability is published by the GeoNode Organization with mitigation and patch instructions

This represents a balance between transparency and participation that does not overwhelm participants. Those seeking greater visibility are encouraged to volunteer with the geonode-devel list; or work with one of the commercial support providers who participate on behalf of their customers.

Learn more about advisories related to GeoNode/geonode in the GitHub Advisory Database