Bug bounty reward levels are based on their severity, for example, “critical bugs” discovered will be paid the highest. Based on the CVSS v3.1 (Common Vulnerability Scoring System) severity ratings of reported vulnerabilities, the TYPO3 project will offer the following maximum bug bounties after they have been fixed and released.
Therefore it is required that vulnerability reports have been confirmed and handled by the TYPO3 Security Team. Similar vulnerabilities that affect multiple versions are considered as one single vulnerability. In case a single component has multiple vulnerabilities, only the most severe one is considered.
In exceptional circumstances, it is possible that the TYPO3 Security Team may grant higher or lower bug bounties based on the actual impact on the TYPO3 community. The program is available for individuals only. People who have a current and active role in teams, committees, or initiatives of the TYPO3 Association are excluded - the TYPO3 Security Team can decide if there should be an exception to the rule.