Redmine is widely used for issue tracking and project workflows; it regularly receives security fixes. Keep Redmine updated and harden attachment handling, permissions, and plugin lifecycle.
- Track Redmine security advisories and patch promptly.
- Upgrade beyond versions affected by recent issues (for example fixes shipped in 6.1.1/6.0.8/5.1.11).
- Validate plugin compatibility after upgrades.
- Keep Ruby and dependency stack updated.
¶ 2) Restrict permissions and attachment operations
- Apply least privilege to project roles and issue permissions.
- Restrict who can modify/delete attachments.
- Limit upload types and validate thumbnail/preview tooling safely.
- Audit project-level role changes and issue visibility permissions.
¶ 3) Secure infrastructure and data exports
- Enforce HTTPS and secure sessions.
- Keep DB and background services private.
- Restrict CSV/PDF export permissions where sensitive data exists.
- Encrypt backups containing issues, journals, and attachments.
- Redmine security advisories: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
- Redmine source repository: https://github.com/redmine/redmine
Any questions?
Feel free to contact us. Find all contact information on our contact page.