How to responsibly report a security issue
Acquia takes the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance such as peer review to help ensure our products are high quality and secure. However, like all complex software products it is possible that a security vulnerability may be present in one of our products. If you discover a security issue in an Acquia product or hosted service in order to protect the security of our services we ask that you report it to us confidentially. Please email the details to our security team at firstname.lastname@example.org. Acquia's security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch. We follow responsible disclosure and will credit researchers when a secuirty issue has been identified and mitigated.
We encourage all issues to be reported but reserve the right to publicly acknowledge researchers who discover issues in Acquia products or hosted services only, if we determine the issue to be of a high or critical severity, or if there has been continued research or contributions made by the reporter.
Also note automated vulnerability scans should not be run against Acquia domains without our explicit consent.
What details should you include when reporting a security issue
Please provide as many relevant details as you can. In particular:
- What versions of software are involved
- What steps someone can follow to go from an initial installation of that software to a point where they see the vulnerability
- Any patches or steps to mitigate the problem
A special thanks to the following people that have responsibly disclosed vulnerabilities to Acquia in the past:
-Kamil Sevi (@kamilsevi)
-Emanuel Bronshtein (@e3amn2l)
-M.R.Vignesh Kumar (@vigneshkumarmr)
-Prajal Kulkarni (www.prajalkulkarni.com)
-Himanshu Kumar Das (@mehimansu)
-Ajay Singh Negi
-Atulkumar Hariba Shedage
-Chiragh Dewan (@ChiraghDewan)
-Rafay Baloch (rafayhackingarticles.net)
-Adam Ziaja (adamziaja.com)
-Piyush Malik (@ThePiyushMalik)
-Wan Ikram (@rinakikun)
-Narendra Bhati (facebook.com/narendradewsoft)
-Ahmad Ashraff (@yappare)
-Tejash Patel & Parveen Yadav (www.backtracktutorial.com)
-Sebastian Neef & Tim Schäfers - (@internetwache)
What if the issue is in some other software?
Acquia relies on open source software such as Drupal, Varnish, memcache, nginx, Apache, MySQL and many others. If you identify a vulnerablity in one of our products that is actually in the underlying software then you can report the issue to us but could also report it to the security team for that project. For Drupal see How to report a security issue in Drupal. If you report an issue to Acquia and the problem lies with another product we will also contact and coordinate with their team prior to making any release.
Handling site-specific security questions
In general we cannot provide security support for non-Acquia customers. If your site was attacked or you have a security issue in custom code on your site the best place to get help is via an Acquia Support Subscription. If your site was attacked and is hosted on Drupal Gardens, Acquia Managed Cloud, or Acquia Dev Cloud then please use the above reporting process regardless of whether or not you have a support subscription. If you have a problem with spam posted to your site then this does not need to be handled privately. For spam issues please refer to articles about spam from the Acquia Library (requires Acquia Network subscription to read full articles).