We are continuously improving our software architecture, features and processes to minimize the risk to users and their data. On this page you can learn about our security processes and principles.
Jump to a section on this page
Principles of the DHIS2 security team
The DHIS2 security team champions the following principles:
- Robust, formal, and predictable security processes
- Maximum transparency
- Full responsible disclosure
- Strong security management culture
If you have questions about DHIS2 security issues, you can contact the security team at: email@example.com
DHIS2 source code is continuously analyzed for security vulnerabilities on the OWASP Top 10 list thanks to a variety of automated tools, to ensure most common bugs are addressed early in the development process.
Both the DHIS2 Android SDK and the Android App follow OWASP recommendations for ensuring privacy and security features in mobile development (see our OWASP score). Some practical implications for DHIS2 Android implementers and users are the blocking of screenshots and screen sharing when using the app, and the prevention of DHIS2 Android App installation in rooted devices.
DHIS2 officially supports the latest three major released versions — see the Downloads page. When a vulnerability in the DHIS2 software is discovered and fixed, a security patch release will be published for each supported major version. Versions which have reached End of Support are not guaranteed to receive security patches, so it is critical that older DHIS2 implementations upgrade to a recent, supported major version as soon as possible.
Vulnerability Reporting & Disclosure
DHIS2 has a dedicated security team focused on maintaining the integrity of the DHIS2 software. If you discover what you believe to be a vulnerability in DHIS2 then we want to hear from you. Please visit our Vulnerability Reporting & Disclosure Policy page for information on how to contact the DHIS2 security team, what you can expect when you contact us, and what we expect from you.
Known Vulnerabilities (CVEs)
The DHIS2 security team participates in responsible disclosure. When vulnerabilities are discovered in released, supported versions of DHIS2, the team makes every effort to evaluate, address, and release fixes in a timely manner. Due to the sensitive nature of many DHIS2 implementations around the world, information relating to these vulnerabilities may be embargoed for some period of time. Eventually, the DHIS2 team endeavors to disclose any known vulnerabilities in older software versions once they have been fixed and sufficient time has passed to allow production DHIS2 implementations to upgrade their software.
See a list of known DHIS2 vulnerabilities:
- DHIS2 core software
- DHIS2 Android app
Security Hall of Fame
The DHIS2 Security team greatly appreciates the help of independent security researchers in identifying and responsibly disclosing security vulnerabilities. We recognize their contributions in the DHIS2 Security Hall of Fame.