Security

In today’s world, a continuous focus on security is essential. No doubt. That’s why following best practice and performing regular testing is all part of our security operations, ensuring that you can use our products and services with peace of mind. 

Security and Open Source

The Umbraco CMS is Open Source which means that the core code is open and accessible to everyone. This, however, does not mean that everyone is able to alter the code. We, Umbraco HQ, ensures that the core of the CMS, Umbraco Cloud, and Forms, stays as bullet-proof as possible - and if a vulnerability is discovered, we make sure to fix the vulnerability automatically (Umbraco Cloud) and provide information about manual fixes in a timely and secure manner.

How to get informed about security advisories

Our Penetration Testing Process

We conduct regular penetration testing with external security partners to ensure our products meet the highest security standards. Here's how we typically collaborate with our testing vendors throughout each engagement.

Every engagement starts with a kick-off meeting where we define the scope, expectations, and testing timeline together. After this meeting, our pentest partner makes their preparations while we set up a dedicated testing environment for them to work in.

The actual testing phase runs for one to two weeks, depending on what we agreed upon during kick-off. By the end of this period, our partner delivers a comprehensive overview of their findings, which we review together before we start planning our remediation efforts.

Once we've determined our approach to fixing the identified issues, we schedule a follow-up meeting to present our remediation plan and get it confirmed by the pentest team. This is also a valuable opportunity to receive expert advice on addressing the issues most effectively. With the plan locked in, we move forward with implementing the fixes.

After remediation is complete, our pentest partner returns to re-test the environment and verify that all issues have been properly resolved. They then prepare a final verification report containing a high-level, public-friendly summary of what was found and whether it was successfully remediated. We publish this report on our website for full transparency.

Interested in Becoming a Pentest Partner?

We're always open to working with qualified penetration testing firms. If you're interested in collaborating with us, apply here to security@umbraco.com to be considered for future engagements.

How to report a vulnerability

If you through your internal use and testing of Umbraco come across a vulnerability, we’d, of course, like to hear about it. In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.

Security tips for you

We have structured ways of testing and keeping the Umbraco foundation secure. Due to the open-source nature of Umbraco, there are also ways for you to ensure that your project is set up in the best way possible security-wise. That’s why we have gathered a number of tips for you on this right here:

How to make your Umbraco set-up more secure

Umbraco Security Features

• Automated Security updates (Umbraco Cloud) ✔️
• Automated HTTPS certificate (Umbraco Cloud) ✔️
• Hashed passwords ✔️
• Support for HTTPS ✔️
• Support for OAuth login system ✔️
• Possible to set-up password rules ✔️
• Possible to implement two-factor authentication ✔️ 
• Default log-out of backoffice due to inactivity ✔️ 
• Built-in security Health Checks ✔️