Security Updates in v8.6 / v7.6

We're always looking for ways to improve. One of the areas we're focusing on is the speed and transparency of security fixes as they become available. In the past, security fixes were noted in the release notes, but we’d like to do better.

We all know that security is a major concern with online systems. Itʼs not a matter of if a security issue will be found, but rather how quickly it will be fixed and how fast the fixed can be deployed and communicated. Itʼs our goal to be:

  • Receptive and open to all communications of possible security issues
  • Expedient to fix issues that are confirmed
  • Quick to roll-out fixes and communicate the importance of updating

We believe that responsible disclosure of the presence of issues is important as a way of improving the quality of Rock and building trust with those who support and use the platform.

We recently had a security expert voluntarily review Rock looking for ways to improve security. He was able to help identify several areas that needed attention. These issues were found by proactively looking for them by a professional security expert in a lab environment, to our knowledge none of them have been used against an active Rock instance. Fixes for each of these items are in version v8.6. We also back ported these fixes for v7.6 for those still running version 7 (something we have done in the past and will continue to do for security issues).