Hi all - hope all is well and recovering from the CG25 blues! A question on the umbraco security patch that has gone out today ... we've had our first client push back (quote from client "Is this normal? There's been 4 in the last 6 months!?") ... has anyone else had this from their clients and is there anyone from HQ that can shed some light on the frequency of these pen tests so that we can at least predict how many there may be in a 12 month period ... ? We can manage the client's expectations explaining the pros of pen tests making the product better etc. etc. - but any guidance on frequency would be helpful. Thanks, Rick

Security issues, much like any software bug, can appear at any time. While Umbraco do run pentests throughout the year across their products, vulnerabilities can be reported by researchers outside of these tests. Umbraco have a responsibility to fix issues in an appropriate time frame, which will depend on the severity of the vulnerability. Sadly it's not something you can really predict.

Thanks Steven - that's very much the message that we convey to clients - I worry though that clients will start to get frustrated with the sheer number of patches that keep materialising and they start to get shaky about the product itself and think to go elsewhere ... at least your response didn't allude to Umbraco Cloud 🙌

That's a very weird logic. Why would they go with another CMS that receives less security updates, and potentially less secure? I get it, it's annoying for both developer/agency and client, but ensuring websites are as bullet proof as possible is a priceless aspect of this software. If they'd rather not update that's their choice at the end of the day, as Steven has pointed out, security vulnerabilities are literally as and when somebody discovers and shares them. Fortunately, we've got a community of very talented folk who help find and help Umbraco resolve these issue before somebody else does. Having more security updates doesn't mean its not secure, very much the opposite in my opinion. They must really love Windows Updates 😛

I think it’s about upgrades versus security patch And signal versus noise ..

From HQ's side, we do feel that lately there have been an extraordinaire amount of vulnerabilities reported from the outside. I get the feeling that many of these vulnerabilities have been reported by students at universities. My initial thought is that we are seeing an increase right now due to the end of the school year, where students may have used Umbraco as a testing target during their finals. Or is that nonsensical?

Interesting Jacob, possibly! I have also heard about bug bounty programs getting overloaded with AI submissions. Not sure if you're seeing any of that

Some of them have been more 'anonymous' than others, but that could just be due to the fact that people want it to stay that way. It is not easy to draw conclusions. Some of the reports have been credited to 2-3 people at a time where some of them have public github profiles that indicate they are students, hence my initial thinking from before.

appreciate the context here @Jacob Overgaard - any insight from HQ is really useful - thank you

Yes, the vulnerability is that there is an API endpoint that discloses password complexity requirements for backoffice users. But if you use SSO, the complexity is determined by your configured identity provider. The vulnerability makes brute forcing logins somewhat easier (because attackers can refine their password lists accordingly), although if you have lockouts enabled, MFA, SSO, and all that good stuff, the risk is lower.

yes that's what we believe too @Steven (he/him)