TYPO3 is an open-source web content management system (CMS) released under the GPL - therefore the source code of TYPO3 (mainly written PHP and JavaScript/TypeScript) is the main focus of the bug bounty program.

All stable versions that are maintained for the TYPO3 community at the time of a vulnerability report are covered by the bug bounty program. It is required that versions being vulnerable have been released - development-only branches are not considered.

Currently supported and maintained versions (regular maintenance & priority bugfixes) are explained in TYPO3 CMS Roadmap.

• SQL injection bugs
• server-side code execution bugs
• cross-site scripting vulnerabilities
• cross-site request forgery vulnerabilities
• authentication and authorization flaws
• sensitive information disclosure

• software with known vulnerabilities - external libraries with known and published vulnerabilities (e.g. jQuery, CKEditor, any composer-based package), usually we are aware of that and upgrade packages (based on their severity) with next scheduled maintenance releases accordingly
• install tool & maintenance mode flaws - flaws that only work having a super-privileged user
• debug configuration - "information disclosure" shown as a result of explicitly using debug configuration is not considered a vulnerability
• XML external entity - XXE cannot be directly exploited with libxml2 version 2.9 in PHP - in case you insist on a XXE vulnerability, provide a corresponding proof-of-concept
• scenarios that require physical access - attack vectors that require phsyical access to a device are not considered a vulnerability, having physical access might allow compromising the operating system - Google provided a reasonable explanation for back button that keeps working after logout

Third-party extensions (plugins) that are not maintained by the TYPO3 Core Team are only covered if their distribution has an impact on the TYPO3 community - based on their download and installation counts. Since packages from packagist.org are used very often in automated tests the threshold has to be much higher compared to downloads from extensions.typo3.org. Only vulnerabilities in extensions that are flagged to be compatible with supported versions of TYPO3 CMS (see above) are covered by this bug bounty program.

• TYPO3 extension repository: https://extensions.typo3.org/
• TYPO3 composer packages: https://packagist.org/?type=typo3-cms-extension (type typo3-cms-extension)

tl;dr: Extensions are only eligible in case they are in use for a certain amount of time - the final decision is up to the security team.

• the same as for TYPO3 CMS (see above)
• "code via user-interface" extensions - extensions having the explicit purpose to allow non-privileged users writing TypoScript or PHP - which is per definition remote code execution - (most of) those extensions were tagged by the security team already at extensions.typo3.org
• wrapper extensions - extensions that are just wrapping another 3rd party library - similar to software with known vulnerabilities (e.g. there's a TYPO3 extension wrapping the phpMyAdmin library)
• CSV Code Injection

Bug bounties for infrastructure vulnerabilities are evaluated individually. For instance, known vulnerabilities of 3rd party vendors (web server, secure shell, …) or zero-day exploits are probably not eligible.

• typo3.org - the website of the main project (high significance)
• extensions.typo3.org - the website of the TYPO3 Extension Repository (high significance)
• my.typo3.org - single-sign-on and user management (high significance)
• ldap.typo3.org - central user-management via LDAP (high significance)
• git.typo3.org - Git service for the main project (high significance)
• get.typo3.org - version & release distribution hub (high significance)
• review.typo3.org - development review process using Gerrit (medium significance)
• docs.typo3.org - official TYPO3 Documentation based on Sphinx (medium significance)
• gitlab.typo3.org - Git, and CI hosting for community services (medium significance)
• localize.typo3.org - localization management based on Crowdin (medium significance)
• decisions.typo3.org - discussion platform base on Discourse (low significance)
• talk.typo3.org - discussion platform base on Discourse (low significance)
• typo3.com - the website of TYPO3 GmbH (high significance)
• login.typo3.com - single-sign-on gatekeeper based on KeyCloak (high significance)
• reimbursement.typo3.com - payment handling for community members (high significance)
• shop.typo3.com - TYPO3 services shop portal based on Shopware (high significance)

• demo.typo3.org - this website does not have strict restrictions on purpose and is reset automatically after 30 minutes
• translation.typo3.org - legacy localization server based on Pootle still migh be referenced by external services
• lists.typo3.org - mailing lists still exists for legacy reasons and URLs still might be referenced by external sites
• lists.association.typo3.org - mailing lists still exists for legacy reasons and URLs still might be referenced by external sites
• wiki.typo3.org - this MediaWiki installation still exists for legacy reasons and URLs still might be referenced by external sites
• any other service that is not explicitly mentioned at "services in scope" (see above)

• presence of banner or version information - version information does not, by itself, expose the service to attacks - so we do not consider this to be a bug - if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know
• public code, issues and reviews - the main purpose of a free-libre open-source project (like TYPO3) is to expose the source code to the public. Therefore public accessible data on review.typo3.org, forge.typo3.org, gitlab.typo3.org and git.typo3.org (incl. all issues, commits, comments, users etc.) are supposed to be public and no vulnerability.
• DNS and mail-related settings - please do not report e.g. lax DMARC settings as "critical vulnerability"
• user enumeration - TYPO3 is an open-source community, user names and corresponding email addresses thus are published in our issue tracker, Git repositories, and other tools used by the online community
• scenarios that require physical access - attack vectors that require phsyical access to a device are not considered a vulnerability, having physical access might allow compromising the operating system - Google provided a reasonable explanation for back button that keeps working after logout
• legacy and archive information - legacy member lists stored in web archives and external static exports are not part of our scope
• impersonation via broken link hijacking (BLH) - in most cases concerns archived & orphaned links used more than 5 years ago - in case current accounts/resources are affected (e.g. typing error in URL), please let us know
• missing rate limit - please do not report missing rate limit for login and password reset forms.
• missing security headers - any kind of "missing" HTTP response header (e.g. X-XSS-Protection, X-Frame-Options, Content-Security-Policy).

The following matrix shows the maximum amounts for each particular scope. In exceptional circumstances, the TYPO3 Security Team may grant higher or lower bug bounties based on the actual impact on the TYPO3 community.

^{*Rewards have been refined in October 2022, for earlier reports, the previous rules still apply.}

Bug bounty payments usually happen only after a confirmed vulnerability has been fixed and released to the public. In any case, issues have to be reported to the TYPO3 Security Team - via mail to security(at)typo3.org. See more information about incident handling.

This reward program is supposed to be a sign of acknowledgment and appreciation for sophisticated and detailed vulnerability reports. The TYPO3 Security Team will ignore any form of bounty begging or threats against the TYPO3 project.

The budget available for this bug bounty program is granted by the TYPO3 Association annually. This means there is a maximum amout of reward payments that is possible for each year.