For Users Creating a TYPO3 Extension: Extension Developers
When creating an extension, we expect you to follow the TYPO3 Coding Guidelines, to read the TYPO3 Security Guide, and do your upmost to make the extension secure. If you are unsure if a part of your extension is insecure, feel free to email us at security(at)typo3.org with your question and extension code, so we can help you.
In case you become aware of a security issue inside your (already published) extension, you are required to inform us about it. The work-flow below applies accordingly. Do not mention the issue to others, and do not upload a fixed version without coordinating with us.
In case we are notified by a third party, or find a security issue in your extension ourselves, the following work-flow will occur:
- We will notify you as soon as we have collected the necessary information and verified the issue, to make it possible for you to fix it.
- From the day we notify you about the security issue found in your extension, you will have 10 days to initially respond to us in order to show us that you are still actively maintaining the extension.
- From the day we notify you about the security issue found in your extension, you will have 21 days to fix the issue, look for other issues, and provide us with a fixed version. Please do so by sending us both an unified patch, and also a complete version of the extension as a zip file.
- Should either of those timelines be missed, we will have to issue a removal bulletin. This bulletin will inform the public about the situation, and recommend all users to uninstall the extension. At the same time your extension is made unavailable for download from the TYPO3 Extension Repository.
- While working on fixing the security issue, it is mandatory for you to keep all information confidential. Do not disclose any information about the issue to any person or organisation.
- We expect you to carefully review your entire extension, not only the particular area where an issue has been discovered. Should you find more issues: Let us now about it.
- In the process of fixing the security related bugs, it is very important that you put nothing but security fixes into your patch.
- Do not add any new features! All of those would make it more difficult for us to review your fixes and for the users of your extension who should be able to update easily. New features may result in some users deciding not to upgrade, and by that not fix the security issues in their current version.
- The fact that the fixed version is a feature-less upgrade should also be reflected by only increasing the last digit of the version number.
- We might also do a security audit, and in the case we find multiple other issues, we may require a full third party review of the extension, before it can make its way back into the TYPO3 Extension Repository.
The following situations will, without exception, require a full third party review of your extension:
- A second bug of the same type is found after one has been fixed by you.
- The TYPO3 Coding Guide Lines is not followed in your code to an acceptable minimum.
- We find multiple other security related bugs, using a security scanner, or by manual review.
- Finally, we will inform you about the kind of security bulletin that will be issued, and coordinate with you about the last steps.