mirror of
https://github.com/Piwigo/Piwigo.git
synced 2025-04-26 11:19:55 +03:00
36 lines
1.7 KiB
Markdown
36 lines
1.7 KiB
Markdown
# Piwigo Security Policy
|
|
|
|
The Piwigo team and community take security bugs seriously. We appreciate your efforts
|
|
to responsibly disclose your findings.
|
|
|
|
## Supported Versions
|
|
|
|
Security updates will typically only be applied to the latest release. Exceptionally,
|
|
we may release a new version of an old branch but that won't be the standard way we process.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please contact us at [security@piwigo.org](mailto:security@piwigo.org) when you have
|
|
discovered a potential security issue.** Please do not create a public issue for now. At a minimum, your report by email should include the following:
|
|
|
|
- version of Piwigo, version of PHP, version of MySQL/MariaDB
|
|
- vulnerability description
|
|
- reproduction steps
|
|
|
|
You will receive a response from us within 72 hours. If the issue is confirmed we will
|
|
then work on fixing it and release a new fixed version of Piwigo, following these steps:
|
|
|
|
- Confirm the problem and determine the affected versions.
|
|
- Audit code to find any potential similar problems.
|
|
- Prepare a fix for `master` branch and backport it on the current stable branch.
|
|
- Release a new version of Piwigo on its current stable branch as fast as possible, historically within a few days.
|
|
|
|
## Responsible Disclosure
|
|
|
|
1. Confirm that the vulnerability applies to a current version and is reproducible.
|
|
2. First share the vulnerability details with us so that users are not put at risk.
|
|
3. Wait before publishing details until everyone has had a chance to update.
|
|
4. Respect the privacy of others.
|
|
|
|
*Avoid activities that disrupt, degrade, or interrupt our services or compromise other
|
|
users' data, such as spam, brute force attacks, denial of service attacks, and malicious file distribution.*
|