DSpace Software Support Policy

Support for Security Updates:

• Version(s) Supported
  
  • The DSpace Committers provide support for security updates to the most recent three (3) major releases of the platform. Security updates include fixes/patches for vulnerabilities discovered in the DSpace codebase, as well as a best effort to keep dependencies/libraries up-to-date with regards to security. We recommend running the latest major release for the most secure DSpace experience as dependency updates are not always possible to apply to other supported releases (see limitations below).
  • Limits to support for dependency updates:  When vulnerabilities arise in dependencies (or dependencies go "end-of-life"), we may not always be able to apply the dependency update to all supported releases of DSpace. While we do our best to apply security-based dependency updates to all supported releases, any dependency updates that are not reasonably "backwards compatible" may only be possible to apply to the most recent DSpace release(s).
    • Because Angular has a 18 month support window and new major versions are often not "backwards compatible", older supported DSpace releases may be pinned to an unsupported version of Angular.  Therefore, for the most security, we highly recommend either: upgrading your DSpace to the latest major release, monitor your version of Angular for vulnerabilities (e.g. via HeroDevs Vulnerability Directory), or purchase never-ending Angular support from HeroDevs.
  • Earlier end-of-life dates: In some scenarios, earlier end-of-life dates for DSpace releases may be announced if major concerns arise over the stability or longevity of a specific release.  These announcements would be sent to Mailing Lists and posted on our Releases page.
  • Patches for unsupported releases: Depending on the severity of a particular security issue, the DSpace Committers may make an effort to provide a security patch or recommendation for prior, unsupported versions. This is decided on a case by case basis.
• Reporting Security Issues
  
  • If you have located a possible security issue within DSpace, we ask that you report it to security@dspace.org  (this emails all the DSpace Committers). We strive to provide a 7-day (or less) turnaround in investigating the reported issue, and will work towards resolution as soon as possible.  Once a fix has been created and any necessary security releases are performed, we will then report the security issue and resolution to the general public.  You will be publicly credited with discovering/reporting the security issue.
  • We strongly encourage you to report security issues in private, before disclosing them in a public forum.  We take DSpace security issues very seriously and will work quickly to eliminate them once reported.
• Published Security Advisories
  
  • All past Security Advisories for DSpace can be found in the GitHub projects for the Java Backend (REST API) and Angular Frontend (User Interface). These advisories are also sent to DSpace Mailing Lists when announced.

Support for Bug Fixes (and Improvements/Features):

• Version(s) Supported
  
  • The DSpace Committers only regularly provide bug fixes to the most recent major release  of the platform.
  • Depending on the severity of a particular bug, DSpace Committers may backport it to prior versions of the software platform. This is decided on a case by case basis.
• Reporting Bugs / Issues
  
  • If you have located a possible bug/issue within DSpace, we ask that you report it directly to our DSpace Issue Tracker (GitHub). We strive to investigate bugs as soon as we can after they are reported.  However, based on the severity of the bug, the timeline of an actual fix may depend on how rapidly we can locate a volunteer developer (either a Committer or a community developer).
  • If you are unsure if something you have found is a DSpace bug/issue, you are also welcome to ask about it on our DSpace Technology Mailing List (dspace-tech Google Group).