The Zope developer community uses the same security policy as the Plone developer community. The most up to date information about Plone security is on https://plone.org/security

For supported versions, see the Zope development roadmap.

Please do NOT create a public bug report if you think this may be a security issue. Instead, please contact the Plone and Zope Security Team via email: security@plone.org. See also https://plone.org/security/report

Only bug reports submitted directly to the security team email will be treated as responsible disclosure. Any offered for sale to third parties or submitted to public bug bounty programmes will be treated as irresponsible public disclosure. We will not confirm any submissions on third party platforms such as "huntr" or "hackerone" and do not give permission for those systems to accept reports on our behalf or to represent themselves as a conduit for vulnerability reports.