Security is a top priority for Contao. Please help us make the system more secure!

If you think that you have found a security issue in Contao, please write an e-mail to security [at] contao.org. E-mails sent to this address are forwarded to a private channel of the Contao core team.

Never disclose any information about a vulnerability in the public web (blog posts, tweets, GitHub issues, etc.) before the vulnerability has been acknowledged and fixed in a new Contao release!

For each report, we first try to confirm the vulnerability. When it is confirmed, the core team works on a solution following these steps:

1. Send an acknowledgement to the reporter;
2. Work on a patch;
3. Get a CVE identifier from mitre.org;
4. Publish a security announcement on contao.org;
5. Send the patch to the reporter for review;
6. Apply the patch to all maintained versions of Contao;
7. Release new versions for all affected versions;
8. Announce the new versions and the vulnerability on contao.org;
9. Update the public security advisories database.

The Contao Association rewards reporters of confirmed vulnerabilities with a security bounty of 100 Euros.

Check the security advisories database for a list of all security vulnerabilities that were already found and fixed in Contao.