For three weeks the participants learned about everything from securing automated workflows and the tools that can be used to detect vulnerabilities through to planning for dealing with incidents and learning about the latest developments in security regarding AI/ML and MCP servers.

Attended by Project Lead Ruth Cheesley and Docker Working Group Lead Renato Castro, the training has been instrumental in helping Mautic to develop its security posture and ensure that we are operating in a way which ensures the safety and security of our ecosystem.

We’re delighted to share that we graduated from the program, which you can read about on the GitHub blog announcing the first 71 projects they worked with.

The work doesn’t stop with the end of the program, though, and that’s the beauty of this opportunity – the entire cohort of 40 open source projects and their maintainers will stay together in a private community as we all work to secure open source.

Together we will all be working through our backlog and focusing on keeping our open source projects secure.

What’s more, GitHub is also financially supporting the projects who complete the program by providing a $10,000 contribution and we’ve also been offered a substantial amount of Azure credits to support Mautic’s continued growth.

Both Renato and Ruth found the training extremely insightful:

Project Lead Ruth Cheesley said:

It was such a great opportunity to learn from the experts across GitHub and the wider technology community – not to mention from our fellow maintainers – over the course of the three weeks. We’ve already implemented many of the learnings and I’m sure it’s going to have a big impact going forward.

Renato Castro, Docker Working Group Lead said:

During the training I had the opportunity to learn more about multiple cybersecurity topics which I wasn’t completely aware of. It was awesome to discover Github’s security-driven features, and share insights with not only other open source maintainers, but also with Github experts who are very passionate about their products. The program has definitely helped us to improve Mautic’s security, making us align even more with our vision of being the most privacy (and security) focused marketing automation product on the market.

This initiative is designed to provide back-ported security fixes for earlier versions of Mautic that are no longer under active and security support. However, to ensure that this program meets your needs and expectations, we are seeking your valuable input and feedback.

What is an ELTS Program?

The ELTS program would involve an annual fee, in return for which Mautic would provide back-ported security fixes to older versions of the software. This service is aimed at helping organizations that rely on older versions of Mautic maintain a secure environment without the immediate need to upgrade to the latest version.

Examples of Existing ELTS Programs

To give you an idea of how such programs work in other open source projects, here are some examples:

• TYPO3 Extended Support
• Ubuntu Extended Security Maintenance
• Red Hat Extended Lifecycle Support
• Debian Extended LTS
• Joomla Extended Support (RFP)
• Drupal 7 Extended Support
• MongoDB Enterprise Advanced Support Plans
• Percona Post-MySQL 5.7 EOL Support
• AngularJS Extended LTS
• CiviCRM ESR

We Need Your Input

To create an ELTS program that truly benefits our community, we need your feedback on several key aspects. Consider the following questions and share your thoughts with us. Feel free to share any other ideas you might have – the questions are just a starting point!

Service Expectations

• What specific features and services would you expect from an ELTS program?
• How important is it for your organization to receive back-ported security fixes for older versions of Mautic?
• What versions of Mautic would you expect to be supported?

Operational Models

• How do you think the ELTS program should operate?
• Should Mautic have a dedicated paid team to work on back-ports and apply patches?
• Should Mautic provide a private repository with patches for users to apply themselves?
• Should Mautic issue a Request for Proposal (RFP) and allow single or multiple providers to offer the service?

Implementation and Management

• What would be the most critical factors for you in choosing to subscribe to the ELTS program?
• How frequently would you expect updates and patches to be released?

Additional Thoughts

• Are there any other considerations or suggestions you have for the ELTS program?

How to Provide Your Input

The call for input will be open until the 13th September. We encourage all community members to share their views and suggestions. Your feedback is invaluable in helping us design a program that meets your needs and supports the continued security and stability of Mautic.

Ways to Submit Your Input

• Comment: Join the discussion on the consultation
• Email: For private inquiries, email us at elts@mautic.org (please use the comment method by default).
• Slack: Join the discussion in the #ELTS channel for general chat about this project (get an invite) and join #wg-elts to join the working group.

Thank you for your time and contributions. Together, we can create a robust and effective ELTS program that benefits the entire Mautic community.

The announcement by huntr – our trusted partner in managing the reporting and communication around software vulnerabilities – that they will shift their strategic focus to only handle vulnerabilities related to AI and ML libraries and frameworks rather than all open source projects, necessitates a transition on our part too. 

We want to ensure that we continue to maintain transparency and open channels of communication with our community on security issues.

With this in mind, we are happy to announce that we are moving to GitHub’s built-in private vulnerability reporting system.

What does this mean for you?

If you have previously reported vulnerabilities or contributed to Mautic using huntr, you can now seamlessly navigate to the Security tab on our GitHub repository page and use the built-in form there to privately report any potential security vulnerability you discover. 

While only the title and description are mandatory on this form, we encourage you to provide as much information as possible to aid our prompt and adequate response. Please check our guidelines on our website for how to write a great report.

Our Commitment

While we transition between these systems, we continue to be committed to the safety of our users and the integrity of our ecosystem. We assure our community that your alerts, concerns, and reports will be attended to with the due diligence and priority they deserve.

We will be communicating with the authors of all open reports as we transition systems and will be including several fixes in upcoming releases.

For a step-by-step guide on how to report a vulnerability using GitHub’s built-in security tab, we recommend referring to the official GitHub reporting guidelines.

We appreciate the efforts of all our community members, and we value your continued contribution and support as we work together in building a safer and more secure Mautic community.

The Mautic Security Team