Standing on the shoulders of giants—OpenCulturas is a Drupal distribution, i. e. a Drupal core system with quite some well-established contributed modules, an established contributed back-end theme. On top there's a custom front-end theme and a bit of custom code that was necessary for the distribution. We follow coding standards and contribute wherever useful + possible.
External dependencies (for example, OpenStreetMap or Swiffy Slider) are managed by dedicated modules, using composer.
In case you have not heard about Drupal: it is a powerful Content Management Framework with a huge community, based on PHP/Symfony.
Security and disclosure policy
Please note that it is necessary to keep OpenCulturas (like any other software) up to date. Security issues are found regularly, worldwide—and there is a good tradition especially in open source communities to swiftly patch vulnerabilities. We benefit from Drupal's robust security plan and its security updates are promptly applied to OpenCulturas.
Whenever you discover a vulnerability: don't shout out about it. Keep in mind that you put anyone using that software at risk when you give attackers a hint about a possible exploit. Follow the project's process to report a security issue und thus help the security experts to keep the knowledge out of the public until a patch has been developed. That's what responsible disclore means.
How to report a security issue
If you are positive having found a Drupal-related security bug, please report it to the Drupal security team directly.
In case you are sure you have found an OpenCulturas-specific vulnerability (or in case you are not sure at all), report it to the OpenCulturas team on Drupal.org. Include steps to reproduce your findings.
Please allow for enough time to investigate the bug before you report it anywhere else. Do not create public issues (e. g. on GitHub or Drupal.org) for security-related doubts or questions.
Good to know
If you change the OpenCulturas configuration, especially the user permissions, be cautious. Especially unwanted information disclosure or data exposure (like your users's email addresses) may be caused by too careless permission settings.
Read more about why you should care about software security and safety in the CMS Garden blog.