Skip to main content

Security framework v1

Last updated: 6 Dec 2024

Introducing CivicTheme's Security Framework: A New Standard for Compliance

In a landscape saturated with lightweight and often short-lived design systems, CivicTheme is charting a different course. Our new Security Framework represents a foundational step in clarifying CivicTheme’s position as a government-grade design system that prioritises compliance, security, and trustworthiness. While many design systems focus on aesthetics and usability, CivicTheme goes further, addressing the critical need for security and compliance in digital government services.

Why a Security Framework Matters

Governments and organisations demand more than just visually appealing interfaces—they require systems that are secure, reliable, and compliant with stringent standards. CivicTheme has always embraced the highest levels of accessibility and compliance, and our Security Framework extends this commitment by formalising how we identify, address, and resolve vulnerabilities across our platform.

This framework ensures CivicTheme remains a trusted choice for government-grade digital experiences, reducing the risks associated with adopting open-source technologies. It reflects our understanding that security is not just a feature but a necessity in building reliable systems for public use.

Key Features of the Security Framework

  1. Supported Versions Policy
    We adhere to an N and N-1 supported version model, providing security updates for the current and prior minor releases. For example, if the latest version is 1.8.1, we support both 1.8.1 and 1.7.4. Additionally, we continue to provide patches for earlier pivotal versions (1.4 and 0.9) to support users transitioning from older models.

    This structured approach ensures users can rely on CivicTheme for secure updates while maintaining flexibility in their upgrade timelines.

  2. Streamlined Vulnerability Reporting
    The security framework includes clear procedures for identifying and reporting vulnerabilities. Contributors can report issues through GitHub’s Security Advisory, email, or Slack, ensuring multiple pathways for responsible disclosure.

    Our process emphasises collaboration and transparency, ensuring that reported vulnerabilities are acknowledged, assessed, and resolved efficiently.

  3. Comprehensive Fix and Release Process
    When a vulnerability is reported, our security team assigns a primary handler who leads the investigation and resolution process. Steps include:

    • Confirming the issue and identifying affected versions.
    • Conducting an audit to identify similar vulnerabilities.
    • Preparing security releases and patches for supported versions.

    Notifications of these releases are shared across CivicTheme’s community channels, ensuring that users stay informed.

  4. Aligned with Drupal and UI Kit Security Standards
    For organisations using the CivicTheme Drupal Theme or UI Kit, we provide tailored disclosure channels and procedures to ensure vulnerabilities are addressed across all layers of the system.

CivicTheme: Built for Compliance and Assurance

The introduction of this Security Framework reinforces CivicTheme’s mission to provide government-grade assurance in every facet of its design and implementation. While other design systems may focus solely on functionality or aesthetics, CivicTheme differentiates itself with a robust foundation of compliance and security.

This is not just about meeting standards—it’s about building trust. Governments and organisations need to feel confident that the systems they deploy are resilient to emerging threats. Our Security Framework ensures CivicTheme remains a dependable choice for mission-critical digital services.

Governance, Transparency, and Collaboration

The Security Framework is deeply aligned with CivicTheme’s open governance model. By inviting contributions and fostering a transparent reporting process, we empower the community to play an active role in maintaining the system’s security. This collaborative approach mirrors the open-source ethos that CivicTheme is built upon, creating a product that is both democratically guided and rigorously secure.

A Starting Point for Greater Innovation

While this framework represents a significant milestone, it is only the beginning. CivicTheme’s roadmap includes iterative improvements to strengthen compliance and security further. We are actively exploring partnerships with experts who can help us scale this framework globally, ensuring it remains robust and adaptable for governments and organisations worldwide.

Why It Matters

In a world where digital threats are increasingly complex, CivicTheme stands out as a beacon of trust, compliance, and longevity. The Security Framework ensures that CivicTheme is not just a design system but a foundation for building secure, accessible, and reliable digital experiences that empower citizens globally.

For governments, organisations, and developers seeking a design system that is as robust as it is innovative, CivicTheme offers the assurance of a platform built with purpose, guided by governance, and grounded in security.

To learn more, visit our Security Policy page(Opens in a new tab/window). Together, we can build a safer, more reliable digital future.

Help make government intuitive for all

CivicTheme is Australia’s government-first design system, empowering agencies, freelancers, and departments to create seamless experiences for every citizen.

Get started (Opens in a new tab/window)
Return focus to the top of the page