PKP usually supports current major release and the last major release. Other releases receive bug fixes for about two years. However, that is not guaranteed.

LTS versions are an exception to this general rule, that don't include new features but receive security patches and bug fixes for 3-5 years. At least 12 months before a LTS version reaches EOL, a new LTS version is designated, so that you have one year to perform an upgrade.

To report a vulnerability, please contact PKP privately using: pkp.contact@gmail.com

You can expect a response via email to acknowledge your report within 2 working days.

PKP will then work to verify the vulnerability and assess the risk. This is typically done within the first week of a report. Once these details are known, PKP will file a Github issue entry with limited details for tracking purposes. This initial report will not include enough information to fully disclose the vulnerability but will serve as a point of reference for development and fixes once they are available.

When a fix is available, PKP will contact its user community privately via mailing list with details of the fix, and leave a window of typically 2 weeks for community members to patch or upgrade before public disclosure.

PKP then discloses the vulnerability publicly by updating the Github issue entry with complete details and adding a notice about the vulnerability to the software download page (e.g. https://pkp.sfu.ca/software/omp). At this point, a CVE and credit for the discovery may be added to the entry.

Depending on the severity of the issue PKP may back-port fixes to releases that are beyond the formal software end-of-life.

We aim to have a fix available within a week of notification.