It is strongly recommended to establish a security policy suitable for your local environment before utilizing ImageMagick.

We encourage users to upgrade to the latest ImageMagick release to ensure that all known security vulnerabilities are addressed. On request, we can backport security fixes to other ImageMagick versions.

Before you post a vulnerability, first determine if the vulnerability can be mitigated by the security policy. ImageMagick, by default, is open. Use the security policy to add constraints to meet the requirements of your local security governance. If you feel confident that the security policy does not address the vulnerability, post the vulnerability as an issue. Or you can post privately to the ImageMagick development team. Most vulnerabilities are fixed within 48 hours.

In addition, request a CVE. We rely on you to post CVE's so our development team can concentrate on delivering a robust security patch.