We're happy to announce the release of Ushahidi v3.12.1 and to publish the security audit of Ushahidi by Radically Open Security. This is the first security audit of the Ushahidi Platform v3 codebase, completed thanks to Open Tech Fund's sponsorship.
Read the release notes, and download the new release here.
We are happy to report that this audit did not find any high risk vulnerabilities. The penetration test found 30 issues in total, 19 of which were found to be of moderate or elevated risk. Other issues found were low risk.
We have implemented fixes to 20 of these issues in this and previous releases, and a further 2 were determined to refer to an unused codebase. You can read a break down of the status of the remaining issues here.
Note: The penetration test was completed on Ushahidi v3.6.3. We are confident within reason that new vulnerabilities have not been introduced, however we have not yet had re-test done.
We want to thank the Open Tech Fund and Radically Open Security for their work and support on the security audit. We are working to continuously improve Ushahidi's overall security standing, and this audit was very useful in working towards this goal.
We'd also like to thank the following people who have recently reported vulnerabilities to us and worked with us to address them: Aditya Arora, Brad Anthony, Victor Angelier, and Aaron Hall.
If you want to know more about Ushahidi's security policy or you have found a security issue that you'd like to report, please follow this link