Hello everyone,
I would like to raise a topic that became very relevant for us last week: security advisories and timely information about security‑relevant updates in Zammad.
I had a regular update planned for last Tuesday to install my custom made package to enable HVE for ticket notifications. On the same day, our office received a PEC email.
For clarity: A PEC (Posta Elettronica Certificata) is an Italian legally certified email system, comparable to a registered letter with return receipt. It is commonly used by public authorities for formal and security‑relevant communications.
The PEC was sent by CSIRT Italia - Agenzia per la Cybersicurezza Nazionale (ACN)
The message concerned current cybersecurity risks about Zammad 6.5.x which was installed at the time, this of course immediately shifted our priorities.
I had already tested the upgrade to Zammad 7.0 weeks before in a test environment and he production update was planned for summer, not immediately.
What caught my attention afterwards was the following:
I only noticed the relevant forum post about the security advisory by chance on Tuesday morning, a few hours before receiving the PEC, although at that time it had already been published around 6 days earlier.
My questions to the Zammad team and the community:
Which official channels does the Zammad team recommend to stay reliably and promptly informed about critical security advisories and CVEs?
- Newsletter?
- GitHub Security Advisories?
- RSS feeds?
- Other channels?
What is considered best practice from your experience to avoid learning about security topics “by chance”?
How do other organizations handle this?
- Monitoring CVE databases?
- Automated alerts?
- Dedicated security mailing lists?
Especially in environments where updates are planned, tested, and bound to change windows, early and reliable security information is crucial.
I would really appreciate recommendations from both the Zammad team and other community members.
Best,
Skip