• What Does A Security Release Notice Look Like?

    One of the requirements to get your vulnerable extension marked as resolved is that you publish a security release announcement on your website. However we have noticed that developers often seem to have trouble with understanding what this means.

    So what does it mean? We do not have a standard format for this, however we do ask that any reasonably intelligent person reading the notice would understand that there is a new version available, that it is a security release, and that users need to update. Moreover this information should not be buried at the bottom of a page listing all the wonderful features of your extension. You can see a good example here for Joomla. You will note the use of the eye-catching graphic. You will note also that the very second sentence says:-

    This is a security release for the 3.x series of Joomla! This release fixes two low level security issues.

    The combined effect is that the reader will be in no doubt that it is a security release.