If you think that you have found a security issue in Pimcore, don’t use the bug tracker and don’t publish it publicly. Instead, all security issues must be reported via this form.
Every submitted security issue is handled with top priority by the core-team by following these steps:
- Confirm the vulnerability
- Determine the severity
- Contact reporter
- Work on a patch
- Get a CVE identification number (may be done by the reporter or a security service provider)
- Patch reviewing
- Tagging a new release for supported versions
- Publish security announcement