The Piwigo team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

Security updates will typically only be applied to the latest release. Exceptionally, we may release a new version of an old branch but that won't be the standard way we process.

Please contact us at security@piwigo.org when you have discovered a potential security issue. Please do not create a public issue for now. At a minimum, your report by email should include the following:

• version of Piwigo, version of PHP, version of MySQL/MariaDB
• vulnerability description
• reproduction steps

You will receive a response from us within 72 hours. If the issue is confirmed we will then work on fixing it and release a new fixed version of Piwigo, following these steps:

• Confirm the problem and determine the affected versions.
• Audit code to find any potential similar problems.
• Prepare a fix for master branch and backport it on the current stable branch.
• Release a new version of Piwigo on its current stable branch as fast as possible, historically within a few days.

1. Confirm that the vulnerability applies to a current version and is reproducible.
2. First share the vulnerability details with us so that users are not put at risk.
3. Wait before publishing details until everyone has had a chance to update.
4. Respect the privacy of others.

Avoid activities that disrupt, degrade, or interrupt our services or compromise other users' data, such as spam, brute force attacks, denial of service attacks, and malicious file distribution.