Skip to content

Security: ToMoHH/photoprism

Security

SECURITY.md

PhotoPrism® Security Policy

Please contact us at security@photoprism.app when you have discovered a potential security issue. You are welcome to also report vulnerabilities in third-party applications that we may not be able to fix directly.

At a minimum, your report should include the following:

  • version and architecture
  • vulnerability description
  • reproduction steps

We will then try to reproduce the problem, determine the impact and get back to you as soon as possible. Confirmed vulnerabilities will be fixed within 90 days, depending on the severity and whether third-party packages are affected.

Responsible Disclosure

  1. Confirm that the vulnerability applies to a current version and is reproducible.
  2. First share the vulnerability details with us so that users are not put at risk.
  3. Wait before publishing details until everyone has had a chance to update.
  4. Respect the privacy of others.

Avoid activities that disrupt, degrade, or interrupt our services or compromise other users' data, such as spam, brute force attacks, denial of service attacks, and malicious file distribution.

Reporting Issues as a Business or Organization

(a) If an email we receive appears to be auto-generated and does not look like a legitimate report that has been manually reviewed in accordance with the requirements of this policy, we may ignore it and you should not expect a response in order to protect our ability to respond to actual issues.

(b) Unless absolutely necessary, for example to report a major issue that has just been discovered, please send requests or reports during regular business hours and never at night or on weekends, especially if they are sent asynchronously.

(c) Refrain from sending HTML emails as we consider them insecure and unsuitable for this purpose.

(d) If you are contacting us as a business or organization, we encourage you to include legal and contact information on your website, as failure to provide legally required information may compromise your eligibility and trustworthiness.

There aren’t any published security advisories