Security is a top priority for Contao. Please help us make the system more secure!
Reporting a security issue
If you think that you have found a security issue in Contao, please write an e-mail to security [at] contao.org. E-mails sent to this address are forwarded to a private channel of the Contao core team.
Never disclose any information about a vulnerability in the public web (blog posts, tweets, GitHub issues, etc.) before the vulnerability has been acknowledged and fixed in a new Contao release!
For each report, we first try to confirm the vulnerability. When it is confirmed, the core team works on a solution following these steps:
- Send an acknowledgement to the reporter;
- Work on a patch;
- Get a CVE identifier from mitre.org;
- Publish a security announcement on contao.org;
- Send the patch to the reporter for review;
- Apply the patch to all maintained versions of Contao;
- Release new versions for all affected versions;
- Announce the new versions and the vulnerability on contao.org;
- Update the public security advisories database.
The Contao Association rewards reporters of confirmed vulnerabilities with a security bounty of 100 Euros.
Check the security advisories database for a list of all security vulnerabilities that were already found and fixed in Contao.