In the past, whenever we received security related questions and suggestions for Piwik, sent to our firstname.lastname@example.org address, we quickly reacted and released a fix in a new Piwik release. However, going forward, we want to be proactive, so we requested a professional and thorough review of our code base.
SektionEins, a leading software security company based in Germany, undertook the professional security review of the Piwik source code. Stefan Esser conducted the audit on the Piwik source code for 5 full days. Stefan then sent us all the details about what could be improved in Piwik regarding security (various recommendations, XSS, etc.). Anthon and Matt from the Piwik team then prepared fixes and improvements following the security audit, which were then released in Piwik 1.1.
We would like to give a huge thanks to SektionEins and Stefan Esser for their work and support to Piwik and the open source community. We are very happy with their service, and can only recommend all other open source projects (and of course any closed source softwares) to contract them for security audits, consulting and/or security training.
We also want to give credit to our sponsors who helped us cover the cost of the review.
You can also learn more about our continuous Security efforts in Piwik.
Piwik 1.1 is rated critical. Please update to Piwik 1.1 now.