For operators

From “Guidance for Operators” in OEP-60 Open Source Security Working Group — Open edX Proposals 1.0 documentation:

What do I do if I am an operator and someone reports a vulnerability to me?

What will happen if a report is accidentally sent to security@openedx.org for the operation of my Open edX instance?

  • Please let security@openedx.org know the best email (preferably a group email, like security@company.com) to forward such reports to, along with your Open edX instance name, domain, and separate contact information for an individual responsible for security at your organization.

  • The Security Working Group will do their best to forward such reports to the correct organization.

How do I receive notification of the release of upcoming security patches?

  • Please watch the Open edX Discourse Security Announcements topic at Security . If you are logged in, select the button with a bell icon on the top right corner above the topic list and choose “Watching First Post”.

  • Discourse should send the announcements to your email that have [Open edX discussions] [Announcements/Security] in the subject line.