The most up to date information about Plone security is on https://plone.org/security

For supported versions, see the security update policy

The release schedule also has helpful information.

There may be hotfixes available to increase the security of your version of Plone. Please check the available hotfixes.

Please do NOT create a public bug report if you think this may be a security issue. Instead, please contact the Plone Security Team via email: security@plone.org. See also https://plone.org/security/report

Only bug reports submitted directly to the security team email will be treated as responsible disclosure. Any offered for sale to third parties or submitted to public bug bounty programs will be treated as irresponsible public disclosure. We will not confirm any submissions on third party platforms such as "huntr" or "hackerone" and do not give permission for those systems to accept reports on our behalf or to represent themselves as a conduit for vulnerability reports.