Report a security issue¶
If you find a security issue in the TYPO3 core system or in a TYPO3 extension (even if it is your own development), please report it to the TYPO3 Security Team – the Security Team only. Do not disclose the issue in public (for example in mailing lists, forums, on Twitter, your website or any 3rd party website).
The team tries to answer all requests as soon as possible and strives to respond in 2 working days, but please allow a reasonable amount of time to assess the issue and get back to you with an answer. If you suspect that your report has been overlooked, feel free to submit a reminder a few days after your initial submission.
Review of your extension¶
The Security Team does not review extensions pro-actively, but can be engaged if someone wants to have his/her extension reviewed. It is not required that the extension code is publicly available (“private” extensions can also be reviewed on request). If the extension has been published in the TYPO3 Extension Repository (TER), it must be “stable” and if it passed the security review, the investigated version (and this version only) may be classified as “reviewed”.
You can contact the TYPO3 Security Team at firstname.lastname@example.org .
Please find further details about the TYPO3 Security Team at https://typo3.org/community/teams/security/ .