Version | Supported | End Of Life |
---|---|---|
3.4.x | ✔️ Active development | |
3.3.x | ✔️ Active maintenance | |
3.2.x | ✅ Security only | |
3.1.x | ✅ Security only; upgrade recommended | |
3.0.x | ✅ Security only; upgrade recommended | |
2.x | ❌ Not supported | 2021 |
1.x | ❌ Not supported | 2005 (approx) |
To report a vulnerability, please contact PKP privately using: [email protected]
You can expect a response via email to acknowledge your report within 2 working days.
PKP will then work to verify the vulnerability and assess the risk. This is typically done within the first week of a report. Once these details are known, PKP will file a Github issue entry with limited details for tracking purposes. This initial report will not include enough information to fully disclose the vulnerability but will serve as a point of reference for development and fixes once they are available.
When a fix is available, PKP will contact its user community privately via mailing list with details of the fix, and leave a window of typically 2 weeks for community members to patch or upgrade before public disclosure.
PKP then discloses the vulnerability publicly by updating the Github issue entry with complete details and adding a notice about the vulnerability to the software download page (e.g. https://pkp.sfu.ca/ojs_download). At this point, a CVE and credit for the discovery may be added to the entry.
Depending on the severity of the issue PKP may back-port fixes to releases that are beyond the formal software end-of-life.
We aim to have a fix available within a week of notification.