This initiative is designed to provide back-ported security fixes for earlier versions of Mautic that are no longer under active and security support. However, to ensure that this program meets your needs and expectations, we are seeking your valuable input and feedback.

What is an ELTS Program?

The ELTS program would involve an annual fee, in return for which Mautic would provide back-ported security fixes to older versions of the software. This service is aimed at helping organizations that rely on older versions of Mautic maintain a secure environment without the immediate need to upgrade to the latest version.

Examples of Existing ELTS Programs

To give you an idea of how such programs work in other open source projects, here are some examples:

• TYPO3 Extended Support
• Ubuntu Extended Security Maintenance
• Red Hat Extended Lifecycle Support
• Debian Extended LTS
• Joomla Extended Support (RFP)
• Drupal 7 Extended Support
• MongoDB Enterprise Advanced Support Plans
• Percona Post-MySQL 5.7 EOL Support
• AngularJS Extended LTS
• CiviCRM ESR

We Need Your Input

To create an ELTS program that truly benefits our community, we need your feedback on several key aspects. Consider the following questions and share your thoughts with us. Feel free to share any other ideas you might have – the questions are just a starting point!

Service Expectations

• What specific features and services would you expect from an ELTS program?
• How important is it for your organization to receive back-ported security fixes for older versions of Mautic?
• What versions of Mautic would you expect to be supported?

Operational Models

• How do you think the ELTS program should operate?
• Should Mautic have a dedicated paid team to work on back-ports and apply patches?
• Should Mautic provide a private repository with patches for users to apply themselves?
• Should Mautic issue a Request for Proposal (RFP) and allow single or multiple providers to offer the service?

Implementation and Management

• What would be the most critical factors for you in choosing to subscribe to the ELTS program?
• How frequently would you expect updates and patches to be released?

Additional Thoughts

• Are there any other considerations or suggestions you have for the ELTS program?

How to Provide Your Input

The call for input will be open until the 13th September. We encourage all community members to share their views and suggestions. Your feedback is invaluable in helping us design a program that meets your needs and supports the continued security and stability of Mautic.

Ways to Submit Your Input

• Comment: Join the discussion on the consultation
• Email: For private inquiries, email us at elts@mautic.org (please use the comment method by default).
• Slack: Join the discussion in the #ELTS channel for general chat about this project (get an invite) and join #wg-elts to join the working group.

Thank you for your time and contributions. Together, we can create a robust and effective ELTS program that benefits the entire Mautic community.

The announcement by huntr – our trusted partner in managing the reporting and communication around software vulnerabilities – that they will shift their strategic focus to only handle vulnerabilities related to AI and ML libraries and frameworks rather than all open source projects, necessitates a transition on our part too. 

We want to ensure that we continue to maintain transparency and open channels of communication with our community on security issues.

With this in mind, we are happy to announce that we are moving to GitHub’s built-in private vulnerability reporting system.

What does this mean for you?

If you have previously reported vulnerabilities or contributed to Mautic using huntr, you can now seamlessly navigate to the Security tab on our GitHub repository page and use the built-in form there to privately report any potential security vulnerability you discover. 

While only the title and description are mandatory on this form, we encourage you to provide as much information as possible to aid our prompt and adequate response. Please check our guidelines on our website for how to write a great report.

Our Commitment

While we transition between these systems, we continue to be committed to the safety of our users and the integrity of our ecosystem. We assure our community that your alerts, concerns, and reports will be attended to with the due diligence and priority they deserve.

We will be communicating with the authors of all open reports as we transition systems and will be including several fixes in upcoming releases.

For a step-by-step guide on how to report a vulnerability using GitHub’s built-in security tab, we recommend referring to the official GitHub reporting guidelines.

We appreciate the efforts of all our community members, and we value your continued contribution and support as we work together in building a safer and more secure Mautic community.

The Mautic Security Team

However, with this increased use of email marketing comes an increased risk of data breaches and security threats. That’s why it’s essential to take steps to secure data in email marketing. In this article, we’ll provide nine tips to help you do just that.

Tips To Secure Data In Email Marketing

1. Use a Secure Email Service Provider

A secure email service provider offers encryption, spam filtering, virus protection, and other security features to ensure the safe transmission of your emails. Using a secure email service provider can help prevent unauthorized access to your email account, reduce the risk of spam emails, and protect the privacy of your sensitive data.

When choosing a secure email service provider, look for services that offer end-to-end encryption, two-factor authentication, and robust spam and virus filtering.

2. Use Strong Passwords and Two-Factor Authentication

Strong passwords and two-factor authentication are critical to email security. Weak passwords are one of the most common causes of email security breaches, and two-factor authentication can help prevent unauthorized access to your email account.

When creating a strong password, use a combination of upper and lowercase letters, numbers, and symbols. Moreover, two-factor authentication adds an extra layer of security by requiring a second form of authentication, such as a verification code sent to your phone.

3. Use a Secure Marketing Automation Platform

When it comes to managing your email marketing campaigns, it’s important to use a secure marketing automation platform. By using a secure platform, you can help ensure that your customer data is protected and that your campaigns are delivered safely and efficiently.

A reliable platform like Mautic offers a variety of security features. For example, it provides authentication options such as DKIM, SPF, and DMARC to help ensure that emails are legitimate and not spoofed or phishing attempts. Mautic provides regular security updates and patches to address known vulnerabilities or threats.

4. Implement Data Access Control Measures

Data access control measures are security measures that restrict access to sensitive data to authorized users only. Examples of data access control measures include passwords, firewalls, and access controls. Implementing data access control measures can help prevent unauthorized access to your email account and sensitive data, reduce the risk of data breaches, and protect the privacy of your customers’ personal information.

To implement data access control measures, you can use tools like role-based access controls, two-factor authentication, and multi-factor authentication.

5. Regularly Back Up Your Data

Data backup involves creating copies of your email data so that you can recover it in case of a data loss event, such as a cyberattack, natural disaster, or hardware failure. Regular data backups can help ensure that you don’t lose important data and can help reduce the impact of a data loss event on your business.

To back up your email data, you can use cloud-based backup solutions, external hard drives, or backup tapes.

6. Use Anti-Malware and Anti-Spam Software

Anti-malware and anti-spam software can help prevent malicious emails and attachments from reaching your inbox. These types of software can also scan incoming emails for potential threats and remove them before they can cause any harm.

Malware is any software designed to harm your computer or steal your personal data. Malware can be hidden in email attachments or links that, when clicked, download the harmful software onto your computer.

Anti-malware software can help detect and remove these threats before they can cause damage. Similarly, anti-spam software can filter out unwanted emails that may contain phishing attempts, which are fraudulent emails designed to trick you into giving away sensitive information such as login credentials.

7. Keep Your Email Software Up to Date

It is important to keep your email software up to date to ensure that you have the latest security patches and updates. This can help protect against known vulnerabilities that can be exploited by cybercriminals. Software updates often contain security patches that address known vulnerabilities and help protect against new threats.

If you fail to install these updates, you are leaving your system open to potential attacks. Cybercriminals are constantly looking for new vulnerabilities to exploit, so keeping your email software up to date is an important aspect of maintaining data security.

8. Use a Virtual Private Network (VPN)

A VPN can help protect your data by encrypting your internet connection and hiding your IP address. This can help prevent cybercriminals from intercepting your emails or accessing your network. VPNs work by creating a secure and encrypted connection between your device and the internet. This helps to keep your online activities private and secure from hackers and other malicious actors.

When you use a VPN, your data is encrypted, and your IP address is hidden, making it more difficult for cybercriminals to intercept your emails or gain access to your network. This is particularly important when using public Wi-Fi networks, which are often unsecured and, therefore, vulnerable to attacks.

9. Conduct Regular Security Audits

Regular security audits can help identify vulnerabilities in your email marketing system and ensure that your security measures are up to date. These audits can also help identify areas for improvement and provide recommendations for enhancing your overall data security posture. Security audits typically involve a thorough review of your email marketing system, including your software, hardware, and policies and procedures.

By conducting regular security audits, you can help ensure that your data security measures are up-to-date and effective in protecting your sensitive information.

Conclusion

Implementing the tips discussed in this article can help secure your data in email marketing and protect your business from cyber threats. From using secure email service providers to conducting regular security audits, each tip plays a crucial role in ensuring the safety and confidentiality of your sensitive information.

By following these best practices, you can improve your overall data security posture and enhance the trust and confidence of your customers. Remember, data security is not only important for compliance but also for building a strong and reliable reputation in the market.

Cecylia Nejman is a writer with a deep focus on tech, security, IT, software. You can read more about secure data at Cybernews.

Part of this process was to become a CVE Numbering Authority (CNA) so that we can be the single source of truth for dealing with the publishing of information relating to vulnerabilities in Mautic and officially supported plugins.

The CVE Program has today authorized Mautic as a CVE Numbering Authority (CNA).

What is a CVE?

External to our project, the Common Vulnerabilities and Exposures (CVE®) Program assigns a unique identifier to each vulnerability discovered across any participating project. This enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.

The Common Vulnerabilities and Exposures (CVE®) Program is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered, then assigned and published to the CVE List .

What is a CNA?

CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.

Within the framework of the CNA program, the Mautic Security Team can now assign CVE numbers to newly identified vulnerabilities and publicly disclose information on these vulnerabilities. The scope of this authority includes Mautic Core and officially supported plugins not covered by another CNA.

What does this mean for Mautic?

Becoming a CNA means that if anybody discovers a vulnerability with Mautic or any of the officially supported plugins, they will have to report it to the Mautic Security Team in order to be granted a CVE ID.

Previously, a report could be made to the CVE Program without involving the Mautic Security Team, which could lead to vulnerabilities being published before a fix is made available or the team even being aware of the vulnerability.

How do I report a vulnerability?

We have detailed guidelines which you can review here: https://www.mautic.org/mautic-security-team/how-to-report-a-security-issue

Who can I contact for more information?

Please reach out to security@mautic.org in the first instance.

Have you ever wondered if you could track more than just visits via the Mautic tracking script? I know I did, and in this article I will show you how we can use URL’s to track anything you want.

The Basics

Before we start let’s have a look at these two URL examples. This one is without extra parameter:

https://mydomain.com/page/test/

And here we have the same URL with an extra parameter:

https://mydomain.com/page/test/?email=johndoe@company.com

If you use for example MailChimp or CampaignMonitor to send out marketing emails, consider using this technique. Simply add the email address as a parameter at the end of the URL.

In php one can catch this parameter simply with a:

$email = $_GET[‘email’];

And then proceed to use that parameter for processing. However, there is also a clever way of using the Mautic Javascript to track visitors on your site. Only some slight modifications can make it send off any lead field you want to Mautic.

Get Tracking with Mautic

Here is the default script:

<script>
    (function(w,d,t,u,n,a,m){w&#91;'MauticTrackingObject']=n;
        w&#91;n]=w&#91;n]||function(){(w&#91;n].q=w&#91;n].q||&#91;]).push(arguments)},a=d.createElement(t),
        m=d.getElementsByTagName(t)&#91;0];a.async=1;a.src=u;m.parentNode.insertBefore(a,m)
    })(window,document,'script','https://mydomain.com/mtc.js','mt');

    mt('send', 'pageview');
</script>

In short, what this does is simply pass along the identification parameters such as IP address and device fingerprint, together with the page the user is visiting. Now have a look at the script below.

<script>
	function getUrlParameter(name) {
		name = name.replace(/[[]/, '\[').replace(/[]]/, '\]');
		var regex = new RegExp('[\?&]' + name + '=([^&#]*)');
		var results = regex.exec(location.search);
		return results === null ? '' : decodeURIComponent(results[1].replace(/+/g, ' '));
	};
	
    (function(w,d,t,u,n,a,m){w['MauticTrackingObject']=n;
        w[n]=w[n]||function(){(w[n].q=w[n].q||[]).push(arguments)},a=d.createElement(t),
        m=d.getElementsByTagName(t)[0];a.async=1;a.src=u;m.parentNode.insertBefore(a,m)
    })(window,document,'script','https://domain.com/mtc.js','mt');

	var email  = getUrlParameter('e');

	if(email !== ''){
		mt('send', 'pageview', {email: email});
	} else {
		mt('send', 'pageview');
	}
</script>

The first function is used to extract a custom parameter from the URL. You can use this function for any parameter you want. Just make sure to pass the correct name to the function. In our case the name is ‘email’.

Below that you can see the default part of the Mautic tracking script. This is not relevant for us. It does what it needs to do, no need to concern us with that for now. Below that you will see a new variable is created with the name ‘email’ and the value it will get is the URL parameter for ‘email’. This means that this variable will hold the content of the URL that comes after ‘?email=’, which should be the email address of the user.

Then we have a short if-statement. This statement simply checks if the email parameter is filled or not. If it is not (which is the case for people that visit your website without a newsletter link) it will simply pass along the usual parameters. But if the email parameter is present it will pass along the usual parameters together with the email address.

Sending a Custom Parameter

You can send this along by adding ‘{email: email}’ to the mt method. Keep in mind that the first string identifies the field you want to pass along. In this case we want to pass along the email, but this could also be any other field like firstname or lastname, or even a custom field you have created. The second string or value is the actual value that needs to be passed along. Since we put the value we got from the URL in the ‘email’ parameter we just write ‘email’ to indicated that we want to pass along the string inside this value.

Lastly, make sure you enable public updating for the fields you want to track using this method. If public updating is not enabled Mautic will simply drop the field. You can do this by going to the ‘Custom fields’ section, then selecting the field you want and changing ‘publicly updatable’ from ‘no’ to ‘yes’.

Congratulations! You can now track custom parameters on your website!

The Possibilities Are Endless

Using the Mautic tracking script this way opens up new ways to identify your contacts. Think about the contact points you have and how you can use them to track different data sets.

If you are using mailing tools like Mailchimp or CampaignMonitor it is super easy to add the add extra parameters to your newsletters. Simply append the extra parameter to all the URL’s in your mail and there you go! In fact, you can use any contact network on point you have and use this methods for the parameters at hand.

Security

We should not forget that we are still handing personal data here. If you are appending sensitive data to a URL make sure you think about handling the data safely. What you could do is hash the parameters and de-hash them in your website before you send them off to Mautic. This way anyone who might come across the link cannot read or use the parameters.

Also make sure to use https, also known as SSL if possible. This is simply an extra layer of security added to the request the user will make. Best practice is to use both SSL for your website as well as the connection between your website and Mautic. You will see in the examples above the I have used https in the code, and not http.

And there you go. Now you know how to track custom parameters with the Mautic tracking script. I cannot wait to see what creative ways you all come up with to use this!