Skip to content

Fix a vulnerability

This guide describes the process for fixing a vulnerability and is intended for InvenioRDM maintainers.

TL;DR - don't communicate or fix publicly a vulnerability

Step 1 - Inform architects

First, report the issue directly to Invenio architects if they have not already been alerted. If in doubt, report to

The architects are there to help facilitate the process.

Step 2 - Inform reporter

An architect will acknowledge to a reporter that we have received the report, and inform them about the process and our security policy.

Step 3 - Create a draft advisory

Start a draft security advisory on the affected GitHub repository. For instance:

Clearly describe the impact (use GitHub's default template), and fill in all fields as well as affected packages.

Step 4 - CVE score

Use the CVE scoring calculator to determine the CVE score and select

Step 5 - Identify supported versions

Next, identify all supported versions of the module using the branch management and take note of which branch(es) you have to apply the fix to.

Step 6 - Create a private temporary fork

The GitHub security advisory form allows you to create a temporary private fork. Follow the instructions provided in the GitHub interface in order to create it.

Step 7 - Create branches and fix the issue

For each of the supported versions, make a branch in the private fork that forks off from the correct master/maintenance branch.

If possible fix first on master/main, then cherry-pick to the other maintenance branches.

Also, remember to include release commits.

Step 8 - Open pull requests against the private fork

Push your branches to the temporary private fork, and open pull requests against the fork (the GitHub interface explains how).

Step 9 - Request a CVE

Step 10 - Send advance notification (2-5 days in advance)

Send out an advance notification that a security fix is being published in 2-5 days. Vulnerabilities should normally be released early in the week to provide time for user to upgrade.

Step 11 - Merge, release and publish