Skip to content

.github/SECURITY.md

Security policy

Security is a top priority for Contao. Please help us make the system more secure!

Reporting a security issue

If you think that you have found a security issue in Contao, please write an e-mail to security [at] contao.org. E-mails sent to this address are forwarded to a private channel of the Contao core team.

Never disclose any information about a vulnerability in the public web (blog posts, tweets, GitHub issues, etc.) before the vulnerability has been acknowledged and fixed in a new Contao release!

Resolving process

For each report, we first try to confirm the vulnerability. When it is confirmed, the core team works on a solution following these steps:

  1. Send an acknowledgement to the reporter;
  2. Work on a patch;
  3. Get a CVE identifier from mitre.org;
  4. Publish a security announcement on contao.org;
  5. Send the patch to the reporter for review;
  6. Apply the patch to all maintained versions of Contao;
  7. Release new versions for all affected versions;
  8. Announce the new versions and the vulnerability on contao.org;
  9. Update the public security advisories database.

Bug bounty

The Contao Association rewards reporters of confirmed vulnerabilities with a security bounty of 100 Euros.

Security advisories

Check the security advisories database for a list of all security vulnerabilities that were already found and fixed in Contao.

You can’t perform that action at this time.