Skip to content

Latest commit

 

History

History
29 lines (19 loc) · 2.07 KB

SECURITY.md

File metadata and controls

29 lines (19 loc) · 2.07 KB

Security Policy

Supported Versions

Version Supported End Of Life
3.4.x ✔️ Active development
3.3.x ✔️ Active maintenance
3.2.x ✅ Security only
3.1.x ✅ Security only; upgrade recommended
3.0.x ✅ Security only; upgrade recommended
2.x ❌ Not supported 2021
1.x ❌ Not supported 2005 (approx)

Reporting a Vulnerability

To report a vulnerability, please contact PKP privately using: [email protected]

You can expect a response via email to acknowledge your report within 2 working days.

PKP will then work to verify the vulnerability and assess the risk. This is typically done within the first week of a report. Once these details are known, PKP will file a Github issue entry with limited details for tracking purposes. This initial report will not include enough information to fully disclose the vulnerability but will serve as a point of reference for development and fixes once they are available.

When a fix is available, PKP will contact its user community privately via mailing list with details of the fix, and leave a window of typically 2 weeks for community members to patch or upgrade before public disclosure.

PKP then discloses the vulnerability publicly by updating the Github issue entry with complete details and adding a notice about the vulnerability to the software download page (e.g. https://pkp.sfu.ca/ojs_download). At this point, a CVE and credit for the discovery may be added to the entry.

Depending on the severity of the issue PKP may back-port fixes to releases that are beyond the formal software end-of-life.

We aim to have a fix available within a week of notification.