Security is a top priority for Contao. Please help us make the system more secure!
If you think that you have found a security issue in Contao, please send an email to security [at] contao.org. Emails to this address will be forwarded to a private channel of the Contao core team.
Never disclose any information about a vulnerability on the public web (blog posts, tweets, GitHub issues, etc.) before the vulnerability has been acknowledged and fixed in a new Contao version!
For every report, we first attempt to confirm the vulnerability. When it is confirmed, the core team works on a solution following these steps:
- Send an acknowledgement to the reporter;
- Work on a patch;
- Obtain a CVE identifier from mitre.org;
- Publish a security announcement on contao.org;
- Send the patch to the reporter for review;
- Apply the patch to all maintained versions of Contao;
- Release new versions for all affected versions;
- Announce the new versions and the vulnerability on contao.org;
Contao is an open-source project where most of the work is done by volunteers. We appreciate that developers are trying to find security issues in Contao and report them responsibly, but we are currently unable to pay bug bounties.
Check the security advisories for a list of all security vulnerabilities that were already found and fixed in Contao.