Only the latest master and development branches are supported with security updates. The master branch represents the last published version, whereas the development branch represents the upcoming version.

We only support the latest published, stable Joomla version in the 3.x and 4.x branch. We do not support alphas, betas or release candidates (testing releases). If a security issue only occurs with a testing release we will consider it but we cannot promise a rapid respolution.

Please DO NOT file a GitHub issue about security issues. GitHub issues are public. Filing an issue about a security issue puts all users, you included, in immediate danger.

Please use our contact page to send us a private notification about the security issue. We strongly recommend using GPG to encrypt your email. You can find the lead developer's public GPG key at https://keybase.io/nikosdion

Please include instructions to reproduce the security issue. Better yet, please include Proof Of Concept code if applicable.

TL;DR - Typical timeframe:

• T-2 to 10 days: we receive your notification about a security issue.
• T-0: we acknowledge the security issue and start working on it.
• T+30 days: we release a patched version and you can make an announcement without details or POC code.
• T+90 days: you can talk about it in public without any restriction, release POC code etc.

Security issues are typically processed within 2 business days with the exception of vacations, event attendance or family emergencies. We will contact you to let you know of our evaluation of the security issue and possibly request more information.

As soon as we acknowledge an issue we typically ask for 30 days to come up with a solution and release a fixed version. We kindly request that no announcement about the security issue is made in public during that period of time. You will be credited with the discovery of the vulnerability in our release notes and our release announcements (if any). You may not receive a notification about the release of the new version but we encourage you to monitor our automated release update feed.

Once this time period elapses and / or we have released a fixed version you are free to make a public announcement about your vulnerability as long as you do not give away specifics or proof-of-concept code. We kindly request that you give an additional 60 days for our users to have a chance to update their software.

After the additional 60 days you are more than welcome to release detailed information and proof-of-concept code, as well as make any public announcements about the vulnerability you discovered.