TYPO3 is an open-source web content management system (CMS) released under the GPL - therefore the source code of TYPO3 (mainly written PHP and JavaScript/TypeScript) is the main focus of the bug bounty program.

All stable versions that are maintained for the TYPO3 community at the time of a vulnerability report are covered by the bug bounty program. It is required that versions being vulnerable have been released - development-only branches are not considered.

Currently supported and maintained versions (regular maintenance & priority bugfixes) are explained in TYPO3 CMS Roadmap.

• SQL injection bugs
• server-side code execution bugs
• cross-site scripting vulnerabilities
• cross-site request forgery vulnerabilities
• authentication and authorization flaws
• sensitive information disclosure

• software with known vulnerabilities - external libraries with known and published vulnerabilities (e.g. jQuery, CKEditor, any composer-based package), usually we are aware of that and upgrade packages (based on their severity) with next scheduled maintenance releases accordingly
• install tool & maintenance mode flaws - flaws that only work having a super-privileged user
• debug configuration - "information disclosure" shown as a result of explicitly using debug configuration is not considered a vulnerability
• XML external entity - XXE cannot be directly exploited with libxml2 version 2.9 in PHP - in case you insist on a XXE vulnerability, provide a corresponding proof-of-concept
• scenarios that require physical access - attack vectors that require phsyical access to a device are not considered a vulnerability, having physical access might allow compromising the operating system - Google provided a reasonable explanation for back button that keeps working after logout

Third-party extensions (plugins) that are not maintained by the TYPO3 Core Team are only covered if their distribution has an impact on the TYPO3 community - based on their download and installation counts. Since packages from packagist.org are used very often in automated tests the threshold has to be much higher compared to downloads from extensions.typo3.org. Only vulnerabilities in extensions that are flagged to be compatible with supported versions of TYPO3 CMS (see above) are covered by this bug bounty program.

• TYPO3 extension repository: https://extensions.typo3.org/
• TYPO3 composer packages: https://packagist.org/?type=typo3-cms-extension (type typo3-cms-extension)

tl;dr: Extensions are only eligible in case they are in use for a certain amount of time - the final decision is up to the security team.

• the same as for TYPO3 CMS (see above)
• "code via user-interface" extensions - extensions having the explicit purpose to allow non-privileged users writing TypoScript or PHP - which is per definition remote code execution - (most of) those extensions were tagged by the security team already at extensions.typo3.org
• wrapper extensions - extensions that are just wrapping another 3rd party library - similar to software with known vulnerabilities (e.g. there's a TYPO3 extension wrapping the phpMyAdmin library)
• CSV Code Injection

Bug bounties for infrastructure vulnerabilities are evaluated individually. For instance, known vulnerabilities of 3rd party vendors (web server, secure shell, …) or zero-day exploits are probably not eligible.

• typo3.org - the website of the main project (high significance)
• extensions.typo3.org - the website of the TYPO3 Extension Repository (high significance)
• my.typo3.org - single-sign-on and user management (high significance)
• ldap.typo3.org - central user-management via LDAP (high significance)
• git.typo3.org - Git service for the main project (high significance)
• get.typo3.org - version & release distribution hub (high significance)
• review.typo3.org - development review process using Gerrit (medium significance)
• docs.typo3.org - official TYPO3 Documentation based on Sphinx (medium significance)
• localize.typo3.org - localization overview hub for Crowdin (low significance)
• decisions.typo3.org - discussion platform base on Discourse (low significance)
• statistics.typo3.org - visitor tracking service based on Matomo (medium significance)
• talk.typo3.org - discussion platform base on Discourse (low significance)
• ticket.typo3.org - OTOBO/OTRS ticket management system (medium significance)
• typo3.com - the website of TYPO3 GmbH (high significance)
• login.typo3.com - single-sign-on gatekeeper based on KeyCloak (high significance)
• mautic.typo3.com - marketing automation hub based on Mautic (medium significance)
• forger.typo3.com - development hub and overview (low significance)
• reimbursement.typo3.com - payment handling for community members (high significance)
• shop.typo3.com - TYPO3 services shop portal based on Shopware (high significance)
• styleguide.typo3.com - TYPO3 logo & brand style-guide (low significance)
• typo3.social - Mastodon Fediverse service (medium significance)
• monitoring.typo3.org - Sentry service (medium significance)

• demo.typo3.org - this website does not have strict restrictions on purpose and is reset automatically after 30 minutes
• lists.typo3.org - mailing lists still exists for legacy reasons and URLs still might be referenced by external sites
• any other service that is not explicitly mentioned at "services in scope" (see above)

• public code, issues and reviews - the main purpose of a free-libre open-source project (like TYPO3) is to expose the source code to the public. Therefore public accessible data on review.typo3.org, forge.typo3.org, gitlab.typo3.org and git.typo3.org (incl. all issues, commits, comments, users etc.) are supposed to be public and no vulnerability.
• presence of banner or version information - version information does not, by itself, expose the service to attacks - so we do not consider this to be a bug - if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know
• Tabnabbing
• Content/Text injections (if non-persistent)
• Mixed content warnings
• Clickjacking/UI redressing
• Denial of Service (DoS) attacks
• Known CVEs without working PoC
• Open ports without real security impact
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting outdated browsers or platforms
• Self-XSS or XSS that cannot be used to impact other users
• Outdated libraries without a demonstrated security impact
• Any hypothetical flaw or best practices without exploitable PoC
• Expired certificate, best practices and other related issues for TLS/SSL certificates
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
• Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
• Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
• HTTP Strict Transport Security Header (HSTS)
• Subdomain takeover without a full working PoC
• Blind SSRF without direct impact (e.g. DNS pingback)
• Lack of rate-limiting, brute-forcing or captcha issues
• User enumeration (email, alias, GUID, phone number)
• Password requirements policies (length / complexity / reuse)
• Ability to spam users (email / SMS / direct messages flooding)

The following matrix shows the maximum amounts for each particular scope. In exceptional circumstances, the TYPO3 Security Team may grant higher or lower bug bounties based on the actual impact on the TYPO3 community.

^{*Rewards have been refined in October 2022, for earlier reports, the previous rules still apply.}

Bug bounty payments usually happen only after a confirmed vulnerability has been fixed and released to the public. In any case, issues have to be reported to the TYPO3 Security Team - via mail to security(at)typo3.org. See more information about incident handling.

This reward program is supposed to be a sign of acknowledgment and appreciation for sophisticated and detailed vulnerability reports. The TYPO3 Security Team will ignore any form of bounty begging or threats against the TYPO3 project.

The budget available for this bug bounty program is granted by the TYPO3 Association annually. This means there is a maximum amout of reward payments that is possible for each year.