Security in TYPO3

Our Security Policy

We decided to follow a policy of least disclosure, and we didn't just make it up, it's used by a lot of projects around the world.

That is the reason why we ask everyone to get in touch with the TYPO3 Security Team first whenever a security issue has been found.

Do not reveal any of your findings to any person or organisation, nor to the author of an extension directly.

How to report a TYPO3 security issue?

When you found a security issue affecting TYPO3, a TYPO3 extension or the TYPO3 infrastructure, we kindly ask you to create a detailed security report, where the issue is described. The security report must be sent by email to the TYPO3 security team.

What information should be included in the security report?

Please always provide a detailed report about the discovered vulnerability. Your report must include the following information:

  • TYPO3 version and/or extension version affected by the issue.
  • Detailed steps to reproduce the issue on a fresh TYPO3 website.

Optionally, you should note us if you do not want to be credited in the Security Bulletin, when your findings are valid.

What type of issues are not considered as security issues?

TYPO3 Admins

TYPO3 admin requires the highest privilege in TYPO3 context. TYPO3 admins don't need to exploit vulnerabilities to do harm on an installation. Therefore, we consider issues only exploitable by TYPO3 admins as regular bugs, that will be handled in public.

TYPO3 Install Tool

The TYPO3 Install Tool is only accessible by TYPO3 admin users with system maintainer privileges. Like for TYPO3 admin users, potential issues in the TYPO3 Install Tool are considered as bugs, that will be handled in public.

User Enumeration

Enumerating usernames or email addresses in TYPO3 Extensions are not considered as a security vulnerability. For details see TYPO3-PSA-2019-002.

If you are unsure if the issue you want to report is a security vulnerability or not, please send us your report anyway.

What happens after a security issue has been reported?

Once the TYPO3 security team receives a notification of an incident, one or more members review it and considers its impact. If TYPO3 or the TYPO3 extension turns out to be actually vulnerable, we work on a fix for the problem. Extension authors are contacted as well, if needed. Finally, the fix is tested, packaged and released. After all of that is done, an advisory is published.

Since all this takes some time, please allow some time for an answer! Please refrain from making anything public before a fix is released - a published vulnerability without a fix is even more severe!

CVE Assignment

For issues affecting the TYPO3 Core, a CVE will be assigned no matter of the type and impact of the vulnerability.

For issues affecting TYPO3 Extensions, a CVE will be assigned, when the extension has at least 1.000 download on TER or 5.000 downloads on packagist.

Credit

If you have reported an unknown security issue and did not disclose information about your findings, we will credit you in the Security Bulletin by name and company. If you do not wish to be credited, please include this in your security report.