Only the latest main
branch is supported with security updates.
We only support the latest published, stable Joomla version in the 4.x version range. We do not support Joomla alphas, betas or release candidates (testing releases). If a security issue only occurs with a testing release we will consider it but we cannot promise a rapid resolution.
Please DO NOT file a GitHub issue about security issues. GitHub issues are public. Filing an issue about a security issue puts all users, you included, in immediate danger.
Please use our business contact page to send us a private notification about the security issue. We strongly recommend using GPG to encrypt your email. You can find our lead developer's public GPG key at https://keybase.io/nikosdion
Please include instructions to reproduce the security issue. Better yet, please include Proof Of Concept code if applicable.
We aim to reply within a business week (5 working days excluding bank holidays). We request a period of 60 to 90 calendar days since I receive adequate information to reproduce the issue before public disclosure so we have time to address the security issue, publish a new version and make sure everyone is updated.
We are a tiny company. We do not have the budget for a bug bounty or any other kind of compensation for security researchers reporting security issues. We will, however, publicly credit you for the discovery of the security issue in our release notes and announcement of the security release.