-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathSECURITY.md.bak
executable file
·36 lines (25 loc) · 1.69 KB
/
SECURITY.md.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Piwigo Security Policy
The Piwigo team and community take security bugs seriously. We appreciate your efforts
to responsibly disclose your findings.
## Supported Versions
Security updates will typically only be applied to the latest release. Exceptionally,
we may release a new version of an old branch but that won't be the standard way we process.
## Reporting a Vulnerability
**Please contact us at [[email protected]](mailto:[email protected]) when you have
discovered a potential security issue.** Please do not create a public issue for now. At a minimum, your report by email should include the following:
- version of Piwigo, version of PHP, version of MySQL/MariaDB
- vulnerability description
- reproduction steps
You will receive a response from us within 72 hours. If the issue is confirmed we will
then work on fixing it and release a new fixed version of Piwigo, following these steps:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare a fix for `master` branch and backport it on the current stable branch.
- Release a new version of Piwigo on its current stable branch as fast as possible, historically within a few days.
## Responsible Disclosure
1. Confirm that the vulnerability applies to a current version and is reproducible.
2. First share the vulnerability details with us so that users are not put at risk.
3. Wait before publishing details until everyone has had a chance to update.
4. Respect the privacy of others.
*Avoid activities that disrupt, degrade, or interrupt our services or compromise other
users' data, such as spam, brute force attacks, denial of service attacks, and malicious file distribution.*