When you’re running an open-source platform like DNN, security is never “done.” It’s an ongoing process. The same openness that makes open source powerful - shared code, community collaboration, peer review - also means that vulnerabilities can be easier to find and exploit. That’s why the DNN Community takes security so seriously.

This post explains the challenges of open-source security, how we handle vulnerability reports, and what you can do to help keep your DNN site secure.

Why Security in Open Source Is Tricky

• Everyone can see the code
  Transparency is great for learning and collaboration, but it also means bad actors can study the same code.

• Different versions everywhere
  Not everyone updates at the same pace, which leaves some sites more exposed.

• Volunteer maintainers
  Unlike commercial products with full-time staff, our community relies on dedicated volunteers. That makes process and coordination even more important.

How to Report a Potential Issue (the Right Way)

If you ever come across a potential security problem in DNN:

• Don’t post it publicly (for example, as a GitHub issue or forum post).

• Do report it privately using GitHub’s “Report a vulnerability” feature on the DNN Platform repository.

This sends the report straight to the DNN Security Task Force, where it will be reviewed, validated, and assigned a severity level (Critical, Moderate, or Low).  Below you will see the Common Vulnerability Scoring System (CVSS) that is used.

What Happens Next

Our process follows the principle of coordinated disclosure:

1. We investigate and confirm the issue privately.

2. We prepare a fix or a safe workaround.

3. We release an update that addresses the issue.

4. We then publish a security advisory on GitHub, request a CVE ID, and publish via the DNN Security Center and the National Vulnerability Database (NVD).

Making Security Updates Easier to Spot

Thanks to community feedback, the DNN Update Service now clearly highlights when an update contains a security fix. That way, you know when an upgrade is more than just a feature update - it’s about protecting your site.

Typically, we wait about 30 days after a fix is released before sharing deeper technical information.  This is why you may see something like the below in your DNN instance(s) as an "early warning".

This ensures that site owners have time to patch their systems before technical details are made widely available.

We also recommend watching GitHub releases for Dnn.Platform, so you’ll get notified as soon as new versions are published.

What You Can Do to Help

• Stay current
  Apply security updates as soon as possible.

• Report responsibly
  Use the private reporting option in GitHub.

• Check official sources
  Watch the DNN Security Center for bulletins and guidance.

• Support the community
  Testing, development, and sponsorship all strengthen the platform.

Building Trust Together

Open-source security is a shared responsibility. Maintainers, contributors, and site owners all play a role. By reporting issues responsibly, updating promptly, and leaning on official channels, we keep DNN secure and trusted - together.

👉 Learn more about our security policy and reporting process here: DNN Platform Security Policy.