The following matrix shows the versions that are currently maintained by the TYPO3 Community. Sprint releases (versions before 11.5.0 and before 10.4.0, in their corresponding branches) are not maintained nor supported.

Please report potential vulnerabilities to security@typo3.org

• mention the project that is affected (either TYPO3 core or a TYPO3 extension/plugin)
• mention the exact version or version range that has been analyzed
• provide a step-by-step description on how to exploit the potential vulnerability

The TYPO3 Security Team will coordinate with core mergers or corresponding extension/plugin maintainers and other affected parties. If a security fix is ready, we then will package new releases and announce the fix to the public using various communication channels like:

• TYPO3 Security Advisories
• TYPO3 Security Team on Twitter
• #announce channel on Slack
• TYPO3 Announce Mailing List

The TYPO3 Security Team is taking care of requesting CVE IDs (common vulnerability and exposer identifiers). Please do not post or publish vulnerabilties to public issue trackers or discuss it on Slack or Twitter.

It is possible to send GPG/PGP encrypted emails to security@typo3.org using key id C05FBE60 (complete fingerprint B41C C3EF 373E 0F5C 7018  7FE9 3BEF BD27 C05F BE60):

• download public key file from typo3.org
• download public key file from keys.openpgp.org

TYPO3 releases (including potential security fixes) are usually released on Tuesdays (except for holidays like Christmas or New Year's Day).

Maintenance releases for stable versions have been scheduled in advance - it is very likely that security fixes are released during these dates as well.