Contacted by the Security Team.

When you have been contacted by the TYPO3 security team and been directed to this page, please make sure to read the full page!

Do not commit anything or publish a new version until the security bulletin is written and you have coordinated a release date with the team.

What you have to do next

  • Read the TYPO3 Extension Security policy.
  • Read the report that has been sent to you.
  • Reply to the security team if you will provide a patch for the issue.
  • Create a patch and either send it to the security team for review or commit it to a private git repository which can be provided by the security team on request.
  • Coordinate with the security team a time when you can provide a fixed version of your extension.
  • Keep the information a secret to yourself, the security team, and extension co-maintainers until the security bulletin has been released.

It is important to keep the issue confidential during this process, and to coordinate each step with the security team.

Whenever you are not sure what to do, contact the security team by replying to the email that was initially sent to you. 

What if you do not answer or maintain the extension any more?

If you do not maintain the extension any more, please let us know. If you do not answer in timely manner or progress on the fix seems to stall, we will have to issue a removal bulletin. This bulletin will inform the public about the situation, and recommend all users to uninstall the extension. At the same time your extension is made unavailable for download from the TYPO3 Extension Repository.

How the Security Team will help you

  • Help you with questions
  • Ensure timely progress
  • Coordinate the release of the fixed extension
  • Create a security bulletin and mark vulnerable versions as insecure