The Joomla! Project takes security vulnerabilities very seriously. As a member of oCert we follow some specific procedures when dealing with security issues.
If you find a possible vulnerability, please report it to the Joomla Security Strike Team first. You can contact the team via email at
The Joomla! Project takes security vulnerabilities very seriously. As a member of oCert we follow some specific procedures when dealing with security issues.
If you find a possible vulnerability, please report it to the Joomla Security Strike Team first. You can contact the team via email at
You can provide patches for any issues that you find when emailing the team. If you want to join the team send an email to
Joomla! Security Strike Team
In wild land firefighting, the term "Strike Team" is used to describe a collection of similar resources, which used for a specific purpose (https://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it's a collection of developers and security experts tasked with improving and managing security for Joomla.
Goals
- Investigate and respond to reported core vulnerabilities.
- Execute code reviews prior to release to identify new vulnerabilities.
- Provide public presence regarding security issues.
- Help the community understand Joomla security.
Security Announcement Policy
- Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
- All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.
Public Responses Policy
Articles are written about Joomla all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.
- The JSST will assess and address articles written about security issues.
- If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue.
- If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article.
- The JSST will be available to answer questions/validate any Joomla security-related articles on the publisher's request.
Security Release Policy
- Critical and high-level vulnerabilities trigger an immediate release cycle.
- Moderate vulnerabilities may trigger a release cycle depending on the specific issue.
- Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release.
- All security releases will be accompanied by one (or more) appropriate security announcements.
Vulnerability Threat Levels
There are two main details that contribute to a vulnerabilities priority or "threat level":
Impact
- Critical - "0-day" attacks, and attacks where site control is compromised (allows attacker to take control over site).
- High - SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised.
- Moderate - XSS attacks, write ACL violations (editing or creating of content where not allowed).
- Low - read ACL violations (reading of content where not allowed).
Severity
- Critical - VERY easy to perform. Relies on no outside information (TRUE 0-day attack).
- High - Moderately easy to perform. May rely on readily available outside information.
- Moderate - Not easy to perform. May rely on sensitive information.
- Low - Difficult to perform. Relies on sensitive information or requires special circumstances to perform.
* NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.
Supported Versions
- All currently developed and supported versions of Joomla will be actively monitored by the JSST.
- Currently active versions include:
- Joomla 2.5.x (until December 2013)
- Joomla 1.5.x (until April 2012)
- Joomla 1.7.x (until February 2012)
