The my.geocat.net knowledge base documents resolved security vulnerabilities subject to the GeoServer responsible disclosure policy.
As a member of the GeoServer community GeoCat respects the responsible disclosure policy, working on your behalf to address security vulnerabilities and concerns.
GeoServer Enterprise customers are asked to report any security concerns via the my.geocat.net support portal and we will work with you to assess issue severity, establish any mitigation measures, and long term resolution.
Please keep in mind:
- GeoServer is a popular open source project and is subject to many security audits each year, only a small portion of which are reported in an actionable manner.
- GeoCat provides setup guidance for production, with recommendations and topics addressing common security considerations. Please review this guidance and contact support if you require assistance.
- Tip: The majority of audit software is designed to test the web interface provided for geoserver administration. In a production environment you may consider turning off this user interface using GEOSERVER_CONSOLE_DISABLED=true system property (see production considerations)
By working with GeoCat you are actively contributing to GeoServer sustainability and we thank you for your patronage.
GeoServer Responsible Disclosure Policy
If you encounter a security vulnerability in GeoServer please take care to report in a responsible fashion:
- Keep exploit details out of mailing list and issue tracker (send details to geoserver-security@lists.osgeo.org)
- Be prepared to work with Project Steering Committee (PSC) members on a solution
- Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
Please send a mail directly to geoserver-security@lists.osgeo.org (moderated list with no possibility to subscribe, please just send directly to the address, the mail will be evaluated and eventually posted) and provide information about the security issue you might have found there.
