More and more we read in the media about targeted hacks and attacks on popular software platforms, databases and content management systems. Especially software with many users can be a worthwhile target for hackers looking to steal personal information.

As server-operated software, ILIAS is also theoretically vulnerable to such attacks. So that it never comes to that though, we are working hard to prevent bugs and to close security loopholes that become known to us. Together with the technical board, we have put together a small FAQ to explain how security vulnerabilities are dealt with in ILIAS.

What should we do if we find a security vulnerability?

Security bugs should on no account be simply reported in Mantis! Potential attackers could in theory also read about them there and then exploit them. It is therefore our goal to always fix these vulnerabilities quietly at first and to inform the admins accordingly, before details of the vulnerabilities become public knowledge. We therefore ask you to send reports of any vulnerabilities discovered only to security@lists.ilias.de!

We are of course delighted when solutions are offered together with the initial report. Please be aware, however, that our repository is also open to the general public: commits, commit-messages and pull-requests can be viewed by anyone. It is therefore also better in this case to send reports to security@lists.ilias.de in order to discuss further steps with us.

What happens when such a report is made? How do things go from there? What does the technical board do?

After receiving such a report, the vulnerability is immediately put up for discussion in the technical board. As soon as one of us is able to reproduce the bug/vulnerability, we create a security-ticket in a protected area of Mantis. The technical aspects are then discussed further there.

We also discuss questions on how to proceed directly afterwards within the technical board. As soon as the bug/vulnerability is fixed, we immediately publish the fix in Git – without, however, specially marking it as a security fix. Additionally a new ILIAS release is then promptly put together.

How are the ILIAS administrators on the ground informed? And what do they have to pay attention to?

The admins are informed via our new mailing list ilias-admins@lists.ilias.de. When a security vulnerability in a specific version of ILIAS has been identified and fixed we recommend to all admins that they update as soon as possible.

Admins not yet on the list can register here: http://lists.ilias.de/cgi-bin/mailman/listinfo/ilias-admins

What measures are taken to prevent security vulnerabilities?

We distinguish between reactive and proactive measures: some of the reactive measures are described above. In addition every fixed vulnerability is followed up with an analysis of how the problem arose in the first place and how we can prevent similar problems from occurring in the future.

As part of our proactive measures, we are planning to have external penetration tests conducted on ILIAS as soon as possible. We are still however in the early stages of clarifying certain basic conditions – for example concerning the financing.