For operators

What do I do if I am an operator and someone reports a vulnerability to me?

If you believe this is a vulnerability in the Open edX Platform, please forward the issue to security@openedx.org or ask the reporter to re-file the issue to security@openedx.org

What will happen if a report is accidentally sent to security@openedx.org for the operation of my Open edX instance?

Please let security@openedx.org know the best email (preferably a group email, like security@company.com) to forward such reports to, along with your Open edX instance name, domain, and separate contact information for an individual responsible for security at your organization.
The Security Working Group will do their best to forward such reports to the correct organization.

How do I receive notification of the release of upcoming security patches?

Please watch the Open edX Discourse Security Announcements topic at https://discuss.openedx.org/c/announcements/security/19 . If you are logged in, select the button with a bell icon on the top right corner above the topic list and choose “Watching First Post”.
Discourse should send the announcements to your email that have [Open edX discussions] [Announcements/Security] in the subject line.