by Yanick Witschi

Changes to our security policy

Dear Contao community,

Today we would like to inform you about important changes to our security policy that are effective immediately. These changes are intended to help make our processes more efficient and facilitate your planning - without compromising on security.

1. Security updates are no longer announced in advance by default

In the past, we announced all security releases around two weeks in advance, regardless of how serious a security vulnerability actually was. Although this had the advantage that companies and agencies could prepare well, in practice it often led to unnecessary effort: employees were scheduled, systems were blocked or update dates were reserved, only to find out that the update was not relevant for their own project.

The following therefore applies with immediate effect:

  • Fixes for moderate security vulnerabilities will be regularly included in the normal bugfix release cycle - without separate advance notice.
  • For serious or critical vulnerabilities, we will continue to give two weeks' notice.

This approach is common and proven in the open source world. Large projects such as Symfony or PHP itself also follow a similar principle: smaller security fixes are published in normal releases, while only really critical vulnerabilities are communicated and announced separately.

Important: All affected releases will of course continue to be clearly marked as security releases - both on contao.org under “Security advisories” and in the designated places such as packagist.org for automated evaluation. The changes therefore only affect the run-up to the announcement - not the communication of the content itself.

The Contao core team carefully checks each security vulnerability to determine whether advance notice is necessary. In case of doubt, we decide in the interest of security and transparency.

2. No more bug bounties

In the past, we have paid out bug bounties (bonuses) for reporting security vulnerabilities. Unfortunately, it has become apparent that this practice is increasingly being abused:

  • The number of dubious reports has increased significantly thanks to automated tools and AI-supported “hunters”.
  • These reports tie up a lot of time and resources without any real security gain in the end.

We have therefore decided - like other projects - to stop paying out bug bounties with immediate effect. In the case of serious reports from the community, we reserve the right to continue to award a bounty - but on a voluntary basis and at the discretion of the core team.

We would like to take this opportunity to thank everyone who has contributed to the security of Contao in the past with serious reports.

Your work remains indispensable!

These changes help us to work on Contao in a more focused and efficient way - with the clear goal of keeping the quality and security of our software at a high level, without unnecessary overhead.

As always, if you have any questions or feedback, please feel free to contact us - either in the forum or via Slack.

Yanick Witschi

About Yanick Witschi

Yanick is Contao's caching and resolver hero and is partly responsible for making your coffee break a lot shorter since the switch to Composer 2. He was co-founder and the first president of the predecessor of the Contao Association. As a core developer, he puts a lot of heart and soul into Contao. At terminal42, he regularly takes off with clients. He also loves cooking, basketball, tennis, politics, the African continent and astrophysics.

Show all news

Add a comment

What is the sum of 2 and 8?