In the past, whenever we received security related questions and suggestions for Matomo (Piwik), sent to our firstname.lastname@example.org address, we quickly reacted and released a fix in a new Matomo release. However, going forward, we want to be proactive, so we requested a professional and thorough review of our code base.
SektionEins, a leading software security company based in Germany, undertook the professional security review of the Matomo source code. Stefan Esser conducted the audit on the Matomo source code for 5 full days. Stefan then sent us all the details about what could be improved in Matomo regarding security (various recommendations, XSS, etc.). Anthon and Matt from the Matomo team then prepared fixes and improvements following the security audit, which were then released in Matomo 1.1.
We would like to give a huge thanks to SektionEins and Stefan Esser for their work and support to Matomo and the open source community. We are very happy with their service, and can only recommend all other open source projects (and of course any closed source softwares) to contract them for security audits, consulting and/or security training.
We also want to give credit to our sponsors who helped us cover the cost of the review.
You can also learn more about our continuous Security efforts in Matomo.
Matomo 1.1 is rated critical. Please update to Matomo 1.1 now.