To report a vulnerability, please contact PKP privately using: pkp.contact@gmail.com

You can expect a response via email to acknowledge your report within 2 working days.

PKP will then work to verify the vulnerability and assess the risk. This is typically done within the first week of a report. Once these details are known, PKP will file a Github issue entry with limited details for tracking purposes. This initial report will not include enough information to fully disclose the vulnerability but will serve as a point of reference for development and fixes once they are available.

When a fix is available, PKP will contact its user community privately via mailing list with details of the fix, and leave a window of typically 2 weeks for community members to patch or upgrade before public disclosure.

PKP then discloses the vulnerability publicly by updating the Github issue entry with complete details and adding a notice about the vulnerability to the software download page (e.g. https://pkp.sfu.ca/software/ojs). At this point, a CVE and credit for the discovery may be added to the entry.

Depending on the severity of the issue PKP may back-port fixes to releases that are beyond the formal software end-of-life.

We aim to have a fix available within a week of notification.