Skip to Main Content

Piwik Security Bug Bounty Program

Our bug bounty program for Piwik is intended to promote security research of Piwik and to help with the continuing process of keeping Piwik secure as this is software that we use and support for our clients.

Requirements

  • The bug must not have been previously reported.
  • The bug must be in the most recently released version.
  • You must not have created the buggy code or are in anyway involved in the creation of it.

Bounties

  • Remote execution of arbitrary PHP code: US$200
  • Remote malicious file inclusion: US$200
  • Remote SQL Injection that allows reading or modifying the database: US$100
  • Persistent cross-site scripting (XSS): US$100
  • Authentication flaw that allow access to Admin-level capabilities: US$100
  • Privilege escalation from View to Admin user: US$100
  • Information disclosure that exposes config.ini.php file contents: US$100
  • Reflective cross-site scripting (XSS): US$50
  • DOM-based cross-site scripting (XSS): US$50
  • Cross-site request forgery (CSRF): US$50

Process

To receive the bounty you need to mention the bounty program when you first contact the Piwik developers about the bug and they need to acknowledge that, or if you are unable to do that you need to send the report of the vulnerability directly to us which will then forward to the Piwik developers. Once that has been completed you will also need to provide enough information for us to recreate the exploitation of the vulnerability. The bounty will be paid via PayPal. The bounty can combined with a bounty from Piwik's own security bounty program. The bounty can also be donated to a charity of your choice.