Double bug bounties for vulnerabilities in TYPO3 CMS until the end of 2024

Categories: Community, TYPO3 CMS Created by Torben Hansen and Oliver Hader
The TYPO3 Security Team is doubling bug bounties for all verified vulnerabilities in TYPO3 CMS until December 31, 2024. This special campaign offers an opportunity for security researchers and ethical hackers to contribute to TYPO3’s security with enhanced rewards in recognition of their efforts.

Cybersecurity Awareness Month is an annual event held every October to raise awareness about the importance of cybersecurity. It was first declared in 2004 in response to the growing need for awareness of cybersecurity risks as digital technology became increasingly integrated into everyday life.

The TYPO3 Security Team is dedicated to maintaining a secure and reliable content management system for our community. We recognize the important role that security researchers play in helping us identify vulnerabilities in TYPO3 CMS before they can be exploited. Therefore, we actively invite security researchers, ethical hackers, and developers to engage with us in making TYPO3 CMS safer for everyone.

To further emphasize our commitment to security and to build on the awareness Cybersecurity Month generated, we are excited to announce a Holidays 2024 themed campaign in which we will double all bug bounties for issues reported affecting TYPO3 CMS. The campaign runs until the end of the holiday season, on 31 December 2024. This is our way of saying thank you to the security community for their continued support and dedication to making the internet a safer place.

The updated rewards for issues in TYPO3 CMS are as following:

  • Critical (CVSS ≥ 9.0): Up to 1,200 EUR
  • High (CVSS ≥ 7.0): Up to 600 EUR
  • Medium (CVSS ≥ 4.0): Up to 300 EUR
  • Low (CVSS < 4.0): Up to 100 EUR

To qualify for these rewards, reported issues must align with the qualifying criteria outlined on our bug bounty program page and must be confirmed by the TYPO3 Security Team until 31 December 2024.

Please note that the increased bounties apply exclusively to vulnerabilities found in TYPO3 CMS itself. They do not extend to 3rd party extensions or infrastructure-related issues.