TYPO3 Extension Security Policy
This is the official policy on the handling of security incidents, as defined by the TYPO3 Security Team. When this text says "we", "our" or "us", we mean the TYPO3 Security Team.
This policy is subject to change over time, so please make sure to have the latest version whenever you use it. The latest version of this document can be found on typo3.org/teams/security/extension-security-policy/
For Users Downloading a TYPO3 Extension: Extension Users
When downloading an extension from the public TYPO3 Extension Repository, you should be aware of the following points in regards to security.
- An extension might have one or more security related issues which have not yet been discovered.
- An extension might have one or more security related issues which have been brought to our attention, but we have not yet informed the public about. See the section for extension developers in order to understand how we handle issues reported to us.
- Make sure to subscribe to the typo3-announce mailing list. This list is very low-traffic, but will inform you in case of security issues.
- Major issues (e.g. with the official core code or with wide-spread third party extensions) will be published there, as well as on typo3.org and its RSS feeds.
- Past announcements can be found on the TYPO3 Security Bulletin Page.
- For general security measures, please see the TYPO3 Security Guide.
- If you are interested in donating e.g. for a security review of specific extension, please contact us.
For Users Creating a TYPO3 Extension: Extension Developers
When creating an extension, we expect you to follow the TYPO3 Coding Guidelines, to read the TYPO3 Security Guide, and do your upmost to make the extension secure. If you are unsure if a part of your extension is insecure, feel free to contact us with your question and extension code, so we can help you.
In case you become aware of a security issue inside your (already published) extension, you are required to inform us about it. The work-flow below applies accordingly.
Do not mention the issue to others, and do not upload a fixed version without coordinating with us.
In case we are notified by a third party, or find a security issue in your extension ourselves, the following work-flow will occur:
- We will notify you as soon as we have collected the necessary information and verified the issue, to make it possible for you to fix it.
- From the day we notify you about the security issue found in your extension, you will have 10 days to initially respond to us in order to show us that you are still actively maintaining the extension.
- From the day we notify you about the security issue found in your extension, you will have 21 days to fix the issue, look for other issues, and provide us with a fixed version. Please do so by either sending us both an unified patch or by creating a pull request to a private git repository, which we can provide on demand.
- Should either of those timelines be missed, we will have to issue a removal bulletin. This bulletin will inform the public about the situation, and recommend all users to uninstall the extension. At the same time your extension is made unavailable for download from the TYPO3 Extension Repository.
- While working on fixing the security issue, it is mandatory for you to keep all information confidential. Do not disclose any information about the issue to any person or organisation.
- We expect you to carefully review your entire extension, not only the particular area where an issue has been discovered. Should you find more issues: Let us now about it.
- In the process of fixing the security related bugs, it is very important that you put nothing but security fixes into your patch.
- Do not add any new features! All of those would make it more difficult for us to review your fixes and for the users of your extension who should be able to update easily. New features may result in some users deciding not to upgrade, and by that not fix the security issues in their current version.
- The fact that the fixed version is a feature-less upgrade should also be reflected by only increasing the last digit of the version number.
- We might also do a security audit, and in the case we find multiple other issues, we may require a full third party review of the extension, before it can make its way back into the TYPO3 Extension Repository.
The following situations will, without exception, require a full third party review of your extension:
- A second bug of the same type is found after one has been fixed by you.
- The TYPO3 Coding Guide Lines is not followed in your code to an acceptable minimum.
- We find multiple other security related bugs, using a security scanner, or by manual review.
- Finally, we will inform you about the kind of security bulletin that will be issued, and coordinate with you about the last steps.