Throughout 2014, the cPanel Security Team has worked with security researchers through cPanel’s Security Bounty program. We try to deliver fixes to issues these security researchers have discovered, along with fixes for issues discovered by cPanel’s internal code audits, in regular two-month cycles. The intent of these scheduled TSRs has been to minimize disruptions and risks associated with fixing vulnerabilities that are not being actively attacked in the wild or represent a low threat to most cPanel & WHM systems.
Starting with TSR-2015-0001, we will formalize this process further. All future scheduled TSR’s will occur on the third Monday of every other month. Minor adjustments to this schedule will be made as necessary to avoid conflicts with cPanel company holidays. Any adjustments to the schedule will be announced at least one week in advance of the scheduled TSR date.
Unscheduled TSRs, for issues that represent critical threats to cPanel & WHM systems and issues that are being actively attacked on a widespread basis, will still occur at any time as needed.
With TSR-2015-0001 we will be making two additional changes that are intended to bring our vulnerability handling process more in sync with industry norms:
– The delay between the release of a TSR to customers and the disclosure of the vulnerabilities fixed in the TSR will be lowered to one day.
– cPanel will provide CVSSv2 scoring information for all vulnerabilities addressed in the TSRs.
To ensure that you receive up-to-date product news from cPanel, we encourage you to subscribe to the “Security Advisories and Product Release Announcements” mailing list on our website at https://cpanel.net/mailing-lists/.