Go to the main page

Trust Center

We are continuously improving our software architecture, features and processes to minimize the risk to users and their data. On this page you can learn about our security processes and principles.

Jump to a section on this page

    Principles of the DHIS2 security team

    The DHIS2 security team champions the following principles:

    • Robust, formal, and predictable security processes
    • Maximum transparency
    • Full responsible disclosure
    • Strong security management culture

    If you have questions about DHIS2 security issues, you can contact the security team at: security@dhis2.org

    Security Process

    DHIS2 source code is continuously analyzed for security vulnerabilities on the OWASP Top 10 list thanks to a variety of automated tools, to ensure most common bugs are addressed early in the development process.

    Both the DHIS2 Android SDK and the Android App follow OWASP recommendations for ensuring privacy and security features in mobile development  (see our OWASP score). Some practical implications for DHIS2 Android implementers and users are the blocking of screenshots and screen sharing when using the app, and the prevention of DHIS2 Android App installation in rooted devices.

    Supported Versions

    DHIS2 officially supports the latest three major released versions — see the Downloads page. When a vulnerability in the DHIS2 software is discovered and fixed, a security patch release will be published for each supported major version. Versions which have reached End of Support are not guaranteed to receive security patches, so it is critical that older DHIS2 implementations upgrade to a recent, supported major version as soon as possible.

    Vulnerability Reporting & Disclosure

    DHIS2 has a dedicated security team focused on maintaining the integrity of the DHIS2 software. If you discover what you believe to be a vulnerability in DHIS2 then we want to hear from you. Please visit our Vulnerability Reporting & Disclosure Policy page for information on how to contact the DHIS2 security team, what you can expect when you contact us, and what we expect from you.

    Read the DHIS2 Vulnerability Reporting & Disclosure Policy

    Known Vulnerabilities (CVEs)

    The DHIS2 security team participates in responsible disclosure. When vulnerabilities are discovered in released, supported versions of DHIS2, the team makes every effort to evaluate, address, and release fixes in a timely manner. Due to the sensitive nature of many DHIS2 implementations around the world, information relating to these vulnerabilities may be embargoed for some period of time. Eventually, the DHIS2 team endeavors to disclose any known vulnerabilities in older software versions once they have been fixed and sufficient time has passed to allow production DHIS2 implementations to upgrade their software.

    See a list of known DHIS2 vulnerabilities:

    Security Hall of Fame

    The DHIS2 Security team greatly appreciates the help of independent security researchers in identifying and responsibly disclosing security vulnerabilities. We recognize their contributions in the DHIS2 Security Hall of Fame.

    Get the latest security updates on the Community of Practice

    You can stay informed about the latest security updates from the DHIS2 security team on the DHIS2 Community of Practice (CoP) by subscribing to posts tagged with “dhis2-security.” You can also subscribe to the DHIS2 newsletter, which includes a summary of recent security updates.