Security Advisories

SimpleSAMLphp is a software product critical for the security of applications and the privacy of users. As such, we take every security issue very seriously, and try to solve them as fast as possible, avoiding any potential damage to both users of this software and end users.

This page contains information about security vulnerabilities, incidents or issues related to SimpleSAMLphp. Read below to learn how to properly report vulnerabilities, as well as to find information about issues already reported and fixed.

Supported Versions

Version Active support Security support
2.2 Next release +6mo Next release +1yr
2.1 2024-09-08 2025-03-08
2.0 2024-04-30 2024-10-30
< 2.0 No support No support

Reporting vulnerabilities

In case you find a vulnerability in SimpleSAMLphp, or you want to confirm a possible security issue in the software, please get in touch with us through Sikt’s CERT team. Please use our PGP public key to encrypt any possible sensitive data that you may need to submit. We will get back to you as soon as possible according to our working hours in Central European Time.

When reporting a security issue, please add as much information as possible to help us identify, confirm, replicate and fix the problem. In particular, remember to include the following information in your report:

Please DO NOT report security incidents related to systems that use SimpleSAMLphp, where this software is not the cause of the incident. Issues related to the use (or misuse) of infrastructure, misconfiguration of the software, malfunction of a particular system or user-related errors should not be reported either. If you are using SimpleSAMLphp to authenticate or login to services, but you don’t know what SimpleSAMLphp is or you are not sure about the nature of the issue, please contact the organization running the service for you.

Finally, be reasonable. We’ll do our best to resolve the issue according to our principles of security and transparency. Every confirmed vulnerability will be published and resolved in a timely manner. All we ask in return is that you contact us privately first in order to avoid any potential damage to those using the software.

List of Security Advisories