TYPO3 Bug Bounty Program

Every software contains bugs - some only affect user-experience or how information is handled and some have a severe impact in terms of web application security and data privacy. Since the TYPO3 project wants to encourage security reporters to analyze our products we introduced a dedicated bug bounty program.

General Procedure

Bug bounty reward levels are based on their severity, for example, “critical bugs” discovered will be paid the highest. Based on the CVSS v3.1 (Common Vulnerability Scoring System) severity ratings of reported vulnerabilities, the TYPO3 project will offer the following maximum bug bounties after they have been fixed and released. 

Therefore it is required that vulnerability reports have been confirmed and handled by the TYPO3 Security Team. Similar vulnerabilities that affect multiple versions are considered as one single vulnerability. In case a single component has multiple vulnerabilities, only the most severe one is considered.

In exceptional circumstances, it is possible that the TYPO3 Security Team may grant higher or lower bug bounties based on the actual impact on the TYPO3 community. The program is available for individuals only. People who have a current and active role in teams, committees, or initiatives of the TYPO3 Association are excluded - the TYPO3 Security Team can decide if there should be an exception to the rule.

Main Focus: TYPO3 CMS

TYPO3 is an open-source web content management system (CMS) released under the GPL - therefore the source code of TYPO3 (mainly written PHP and JavaScript/TypeScript) is the main focus of the bug bounty program.

All stable versions that are maintained for the TYPO3 community at the time of a vulnerability report are covered by the bug bounty program. It is required that versions being vulnerable have been released - development-only branches are not considered.

Currently supported and maintained versions (regular maintenance & priority bugfixes) are explained in TYPO3 CMS Roadmap.

Qualifying vulnerabilities

  • SQL injection bugs
  • server-side code execution bugs
  • cross-site scripting vulnerabilities
  • cross-site request forgery vulnerabilities
  • authentication and authorization flaws
  • sensitive information disclosure

Non-qualifying vulnerabilities

  • software with known vulnerabilities - external libraries with known and published vulnerabilities (e.g. jQuery, CKEditor, any composer-based package), usually we are aware of that and upgrade packages (based on their severity) with next scheduled maintenance releases accordingly
  • install tool & maintenance mode flaws - flaws that only work having a super-privileged user
  • debug configuration - "information disclosure" shown as a result of explicitly using debug configuration is considered a vulnerability
  • XML external entity - XXE cannot be directly exploited with libxml2 version 2.9 in PHP - in case you insist on a XXE vulnerability, provide a corresponding proof-of-concept
  • scenarios that require physical access - attack vectors that require phsyical access to a device are not considered a vulnerability, having physical access might allow compromising the operating system - Google provided a reasonable explanation for back button that keeps working after logout

Extensions (3rd party plugins)

Third-party extensions (plugins) that are not maintained by the TYPO3 Core Team are only covered if their distribution has an impact on the TYPO3 community - based on their download and installation counts. Since packages from packagist.org are used very often in automated tests the threshold has to be much higher compared to downloads from extensions.typo3.org. Only vulnerabilities in extensions that are flagged to be compatible with supported versions of TYPO3 CMS (see above) are covered by this bug bounty program.

tl;dr: Extensions are only eligible in case they are in use for a certain amount of time - the final decision is up to the security team.

Non-qualifying vulnerabilities

  • the same as for TYPO3 CMS (see above)
  • "code via user-interface" extensions - extensions having the explicit purpose to allow non-privileged users writing TypoScript or PHP - which is per definition remote code execution - (most of) those extensions were tagged by the security team already at extensions.typo3.org
  • wrapper extensions - extensions that are just wrapping another 3rd party library - similar to software with known vulnerabilities (e.g. there's a TYPO3 extension wrapping the phpMyAdmin library)
  • CSV Code Injection

Infrastructure

Bug bounties for infrastructure vulnerabilities are evaluated individually. For instance, known vulnerabilities of 3rd party vendors (web server, secure shell, …) or zero-day exploits are probably not eligible.

Services in scope

  • typo3.org - the website of the main project (high significance)
  • extensions.typo3.org - the website of the TYPO3 Extension Repository (high significance)
  • my.typo3.org - single-sign-on and user management (high significance)
  • ldap.typo3.org - central user-management via LDAP (high significance)
  • git.typo3.org - Git service for the main project (high significance)
  • get.typo3.org - version & release distribution hub (high significance)
  • review.typo3.org - development review process using Gerrit (medium significance)
  • docs.typo3.org - official TYPO3 Documentation based on Sphinx (medium significance)
  • gitlab.typo3.org - Git, and CI hosting for community services (medium significance)
  • localize.typo3.org - localization management based on Crowdin (medium significance)
  • decisions.typo3.org - discussion platform base on Discourse (low significance)
  • talk.typo3.org - discussion platform base on Discourse (low significance)
  • typo3.com - the website of TYPO3 GmbH (high significance)
  • login.typo3.com - single-sign-on gatekeeper based on KeyCloak (high significance)
  • reimbursement.typo3.com - payment handling for community members (high significance)
  • shop.typo3.com - TYPO3 services shop portal based on Shopware (high significance)

Out-of-scope services

  • demo.typo3.org - this website does not have strict restrictions on purpose and is reset automatically after 30 minutes
  • translation.typo3.org - legacy localization server based on Pootle still migh be referenced by external services
  • lists.typo3.org - mailing lists still exists for legacy reasons and URLs still might be referenced by external sites
  • lists.association.typo3.org - mailing lists still exists for legacy reasons and URLs still might be referenced by external sites
  • wiki.typo3.org - this MediaWiki installation still exists for legacy reasons and URLs still might be referenced by external sites
  • any other service that is not explicitly mentioned at "services in scope" (see above)

Non-qualifying vulnerabilities

  • presence of banner or version information - version information does not, by itself, expose the service to attacks - so we do not consider this to be a bug - if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know
  • public Git repositories - the main purpose of a free-libre open-source project (like TYPO3) is to expose the source code to the pubic, please do not report public repositories as a vulnerability
  • DNS and mail-related settings - please do not report e.g. lax DMARC settings as "critical vulnerability"
  • user enumeration - TYPO3 is an open-source community, user names and corresponding email addresses thus are published in our issue tracker, Git repositories, and other tools used by the online community
  • scenarios that require physical access - attack vectors that require phsyical access to a device are not considered a vulnerability, having physical access might allow compromising the operating system - Google provided a reasonable explanation for back button that keeps working after logout
  • legacy and archive information - legacy member lists stored in web archives and external static exports are not part of our scope
  • impersonation via broken link hijacking (BLH) - in most cases concerns archived & orphaned links used more than 5 years ago - in case current accounts/resources are affected (e.g. typing error in URL), please let us know
  • Missing rate limit - please do not report missing rate limit for login and password reset forms.

Reward Amounts

The following matrix shows the maximum amounts for each particular scope. In exceptional circumstances, the TYPO3 Security Team may grant higher or lower bug bounties based on the actual impact on the TYPO3 community.

 critical
(CVSS ≥ 9.0)
high
(CVSS ≥ 7.0)
medium
(CVSS ≥ 4.0)
low
(CVSS < 4.0)
TYPO3 CMSup to 750 EURup to 500 EURup to 250 EURup to 100 EUR
Extensionsup to 250 EURup to 200 EURup to 100 EUR
Infrastructureup to 250 EURup to 200 EURup to 100 EUR

Final Remarks

Bug bounty payments usually happen only after a confirmed vulnerability has been fixed and released to the public. In any case, issues have to be reported to the TYPO3 Security Team - via mail to security(at)typo3.org. See more information about incident handling.

This reward program is supposed to be a sign of acknowledgment and appreciation for sophisticated and detailed vulnerability reports. The TYPO3 Security Team will ignore any form of bounty begging or threats against the TYPO3 project.

The budget available for this bug bounty program is granted by the TYPO3 Association annually. This means there is a maximum about of reward payments that is possible for each year.