Security
Security is a very important priority at Piwik. As potential issues are discovered, we validate, patch and release fixes as quickly as we can.
We have a security bug bounty program in place that will reward researchers for finding security issues and disclose them to us. We also document here how you can make your own Piwik data safer and more secure server.
Security announcements
You can see the previous Security issues in Piwik or subscribe to the RSS feed or the Changelog for any new release.
Piwik Security Bug Bounty Program
The Piwik Security Bug Bounty Program is designed to encourage security research in Piwik and to reward those who help us create the safest Web Analytics platform.
The bounty for valid critical security bugs is $500 (US) cash reward. The bounty for non-critical bugs is $200 (US), paid via Paypal.
The bounty will be awarded for security bugs that meet the following criteria:
- Security bug must be original and previously unreported
- Security bug is present in the most recent supported or release candidate version of Piwik
- If two or more people report the bug together the reward will be divided among them
As of January 2012, we have already rewarded more than 10 researchers. This program has been very successful in improving code quality and fixing all known security issues in Piwik.
How to report a security issue?
Please email security issues to security@piwik.org. Please provide as many details as you can about the environment, Piwik version, plugins used (if relevant), etc.
You will receive a response from a team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we're ignoring you — it's quite possible your email didn't make it through a spam filter.
We appreciate your patience and community support. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming. Please do not disclose the vulnerability to anyone before a few days after the release of the stable Piwik, and after the advisory is issued.
You will be credited in the security announcement and in the Changelog. If applicable, the security bug bounty will be paid via Paypal. Thank you for making the Free Software world better.
Security in our development process
Core developers are all committed to achieving the highest standard of security. All Piwik PHP code should adhere to the Security checklist. All commits to the Piwik SVN are reviewed by at least two core developers.
Regular external security reviews are taking place, some have contributed a few security suggestions. We have also conducted a paid security review in the past.
We hope Piwik is not vulnerable to any critical security bug, and we are committed to make it this way. Thank you for your support!
Improve your Piwik server Security and set your Privacy options
Once you have installed Piwik and started gathering visitors data in your Mysql database, you might be concerned about others accessing your servers. There are easy steps you can take to ensure that adding Piwik in your existing software environment (CMS, CRM, etc.) will be as safe as possible.
Make your Piwik server more secure
Installing Piwik and tracking visitors is quick and easy, but how can you make sure it is nearly impossible to hack into your server, or protect your database data from being accessed by external parties?
To make your server & database more secure, check out our step by step guide: Secure Piwik server: steps to keep Piwik safe
Data privacy and Visitor privacy
Piwik strives to provide excellent Privacy features for you, the Piwik user, but also to the visitors being tracked in your Piwik. See the Piwik & User Privacy for more information.
English
Piwik on Facebook
Newsletter
Follow Piwik on Twitter
Follow Piwik blog