Security advisories & CVEs: how do you stay informed in a timely manner?

Hello everyone,

I would like to raise a topic that became very relevant for us last week: security advisories and timely information about security‑relevant updates in Zammad.

I had a regular update planned for last Tuesday to install my custom made package to enable HVE for ticket notifications. On the same day, our office received a PEC email.

For clarity: A PEC (Posta Elettronica Certificata) is an Italian legally certified email system, comparable to a registered letter with return receipt. It is commonly used by public authorities for formal and security‑relevant communications.

The PEC was sent by CSIRT Italia - Agenzia per la Cybersicurezza Nazionale (ACN)
The message concerned current cybersecurity risks about Zammad 6.5.x which was installed at the time, this of course immediately shifted our priorities.

I had already tested the upgrade to Zammad 7.0 weeks before in a test environment and he production update was planned for summer, not immediately.

What caught my attention afterwards was the following:
I only noticed the relevant forum post about the security advisory by chance on Tuesday morning, a few hours before receiving the PEC, although at that time it had already been published around 6 days earlier.

My questions to the Zammad team and the community:

Which official channels does the Zammad team recommend to stay reliably and promptly informed about critical security advisories and CVEs?

• Newsletter?
• GitHub Security Advisories?
• RSS feeds?
• Other channels?

What is considered best practice from your experience to avoid learning about security topics “by chance”?

How do other organizations handle this?

• Monitoring CVE databases?
• Automated alerts?
• Dedicated security mailing lists?

Especially in environments where updates are planned, tested, and bound to change windows, early and reliable security information is crucial.

I would really appreciate recommendations from both the Zammad team and other community members.

Best,
Skip

Hi Skip,

Thanks for raising this question.

We recommend following GitHub Security Advisories Security Advisories · zammad/zammad · GitHub. This is our main channel for publishing security advisories and fixes, and you can subscribe to receive notifications.

For broader updates on Zammad (like major and minor releases, feature news, or events), our newsletters, forum posts in the announcement section, and social media (Mastodon, X, LinkedIn, FB) are helpful additional sources.

Best,
Julia

There’s also an RSS feed for our releases which might be helpful.

In our two-person organization, our owner/operator reads and receives information about security advisories from a variety of sources, including but not limited to:

• Github notifications
• New release notifications for all the systems we run
• Other vendor software notifications
• the Open Source Server Security List Serv
• Posts from the Fediverse, information security-focused Slack and Discord groups and IRC channels

Reviewing all of this is a process that can take most of the day but can be interwoven between meetings and dedicated focused work time. It can also lead to whomever is tasked with reading all of this to shout some expletives when they read that a part of the security supply chain got popped.

I hope this provided some insight and was helpful. Good luck establishing your security advisory program!

Thank you all for the replies, I subscribed for the time being to the RSS feed, since the github security advisories do not send e-mails notifications unless one subscribes to all notifications, which is out of scope.

Thanks @trishalynn, for the extensive information I will be looking into other options too based on your suggestions.

Best,
Skip

Glad to be of help! I am also not kidding about occasionally hearing expletives or loud shouts of dismay from the owner/operator as he goes through the daily advisories.