TYPO3 Extension Security Policy version 1.0
This is the official policy on the handling of security incidents, as defined by the TYPO3 Security Team. When this text says "we", "our" or "us", we mean the TYPO3 Security Team.
This policy is subject to change over time, so please make sure to have the latest version whenever you use it. The latest version of this document can be found on http://typo3.org/teams/security/extension-security-policy/
For Users Downloading a TYPO3 Extension: Extension Users
When downloading an extension from the public TYPO3 Extension Repository, you should be aware of the following points in regards to security.
- An extension might have one or more security related issues which have not yet been discovered.
- An extension might have one or more security related issues which have been brought to our attention, but we have not yet informed the public about. See the section for extension developers in order to understand how we handle issues reported to us.
- Make sure to subscribe to the typo3-announce mailing list1. This list is very low-traffic, but will inform you in case of security issues.
- Major issues (e.g. with the official core code or with wide-spread third party extensions) will be published there, as well as on typo3.org and its RSS feeds.
- Other security upgrades will be listed in Collective Bulletins.
- Past announcements can be found on the TYPO3 Security Bulletin Page5.
- For general security measures, please see the TYPO3 Security Guide3.
- If you are interested in donating e.g. for a security review of specific extension, please contact us at security(at)typo3.org.
For Users Creating a TYPO3 Extension: Extension Developers
When creating an extension, we expect you to follow the TYPO3 Coding Guidelines2, to read the TYPO3 Security Guide3, and do your upmost to make the extension secure. If you are unsure if a part of your extension is insecure, feel free to email us at security(at)typo3.org with your question and extension code, so we can help you.
In case you become aware of a security issue inside your (already published) extension, you are required to inform us about it. The work-flow below applies accordingly. Do not mention the issue to others, and do not upload a fixed version without coordinating with us.
In case we are notified by a third party, or find a security issue in your extension ourselves, the following work-flow will occur:
- We will notify you as soon as we have collected the necessary information and verified the issue, to make it possible for you to fix it.
- From the day we notify you about the security issue found in your extension, you will have 10 days to initially respond to us in order to show us that you are still actively maintaining the extension.
- From the day we notify you about the security issue found in your extension, you will have 21 days to fix the issue, look for other issues, and provide us with a fixed version. Please do so by sending us both an unified patch4, and also a complete version of the extension as a t3x file.
- Should either of those timelines be missed, we will have to issue a removal bulletin. This bulletin will inform the public about the situation, and recommend all users to uninstall the extension. At the same time your extension is made unavailable for download from the TYPO3 Extension Repository.
- While working on fixing the security issue, it is mandatory for you to keep all information confidential. Do not disclose any information about the issue to any person or organisation.
- We expect you to carefully review your entire extension, not only the particular area where an issue has been discovered. Should you find more issues: Let us now about it.
- In the process of fixing the security related bugs, it is very important that you put nothing but security fixes into your patch.
- Do not add any new features! All of those would make it more difficult for us to review your fixes and for the users of your extension who should be able to update easily. New features may result in some users deciding not to upgrade, and by that not fix the security issues in their current version.
- The fact that the fixed version is a feature-less upgrade should also be reflected by only increasing the last digit of the version number6.
- We might also do a security audit, and in the case we find multiple other issues, we may require a full third party review of the extension, before it can make its way back into the TYPO3 Extension Repository.
The following situations will, without exception, require a full third party review of your extension:
- A second bug of the same type is found after one has been fixed by you.
- The TYPO3 Coding Guide Lines2 is not followed in your code to an acceptable minimum.
- We find multiple other security related bugs, using a security scanner, or by manual review.
- Finally, we will inform you about the kind of security bulletin that will be issued, and coordinate with you about the last steps.
For Users Reporting a Security Issue: Issue Reporters
We highly appreciate your security awareness.
In order to provide maximum security for all TYPO3 users, we kindly request you to act responsible by following these guidelines:
- Do not reveal any of your findings to any person or organisation, nor to the author of the extension directly - we will contact him.
- Please report your findings as detailed as possible to us at security(at)typo3.org and wait for our reply. We will reply to every concern reported to us, even in cases where we cannot confirm an actual security issue. We are committed to reply on all inquiries no later than 2 business days after we have received them.
- If you discover additional issues or have useful information for understanding or solving the security issue, please contact us.
- When a bulletin is published on typo3.org, we will give you credit for finding and reporting the security issue. If you do not wish to be named, please let us know.