This document describes how security vulnerabilities are handled for the Matomo-for-AzureAppService container project.

Only actively maintained major versions receive security fixes.

If you discover a vulnerability—including OS package issues, PHP/Apache problems, exposed secrets, misconfigurations, or any behavior that may affect security—please report it privately.

Please create a private advisory:

👉 https://github.com/umaxiaotian/Matomo-for-AzureAppService/security/advisories/new

This creates a secure discussion space.

If you prefer email, send reports to:

📧 [email protected]

Please include:

• Description of the issue
• Steps to reproduce
• Impact assessment (if known)
• Affected version(s) or container tag(s)
• Suggested mitigation or patch (optional)

We follow a structured response timeline:

• 🕒 Acknowledgement: within 72 hours
• 🔍 Initial Investigation: within 5 business days
• 🛠️ Fix Development: typically within 30 days
• 📢 Coordinated Disclosure: after the fix is published

Your identity and report contents will be treated confidentially.

We categorize issues using common industry standards:

This repository runs automated scanning:

Using Trivy with:

• Vulnerability scanning (HIGH/CRITICAL)
• Secret scanning (detects exposed keys)
• Misconfiguration scanning (SSH, Apache, PHP, Dockerfile)

• One issue per tag
• Automatically updated with new findings
• Labels: container-security, security, automated

Every new image built in CI is validated:

• HIGH/CRITICAL vulnerabilities → build fails
• Secrets/Misconfig detections → reported in logs

Please do not publicly disclose vulnerabilities before:

1. Reporting privately
2. Allowing time for analysis & fixes
3. Coordinating disclosure timing with maintainers

We deeply appreciate responsible security research.

Thank you for helping secure Matomo-for-AzureAppService.
Your contributions make this project safer for everyone.