Responsible disclosure policy

At Totara we take the security of our products very seriously. We encourage developers and independent security researchers to responsibly disclose any issues they find. Please report any security concerns to us via or if you are a subscriber via a helpdesk ticket. If you would like to encrypt the information, please use our PGP key.

We request that you:

  • Don't perform security reviews against a production site. Please set up your own dedicated Totara instance specifically for testing.

  • Don't publicly disclosure the issue until after a fix has been released. If possible we would ask you to wait for at least one month after the release to give our customers an opportunity to plan an upgrade.

  • Avoid non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

We will:

  • Respond in a timely manner to your initial contact. Initial response will be within 2 business days (normally sooner).

  • Keep you informed of our progress towards a fix. We may request additional information to allow us to reproduce the issue.

  • Credit you for your discovery in our release notes.

  • Not take legal action against you if you follow the rules above.

 If you have any questions or want clarification on the above points please email