Only the latest main branch is supported with security updates.

I only support the latest published, stable Joomla version in the latest stable Joomla branch. O do not support Joomla alphas, betas or release candidates (testing releases). If a security issue only occurs with a testing release we will consider it, but we cannot promise a rapid resolution.

Please DO NOT file a GitHub issue about security issues. GitHub issues are public. Filing an issue about a security issue puts all users, you included, in immediate danger.

Please use my contact page to send me a private notification about the security issue. I strongly recommend using GPG to encrypt your email. You can find my public GPG key at https://keybase.io/nikosdion

Please include instructions to reproduce the security issue. Better yet, please include Proof Of Concept code if applicable.

I aim to reply within a business week (5 working days excluding bank holidays). I request a period of 60 to 90 calendar days since I receive adequate information to reproduce the issue before public disclosure, so I have time to address the security issue, publish a new version and make sure everyone is updated.

I do not have the budget for a bug bounty or any other kind of compensation for security researchers reporting security issues. I will, however, publicly credit you for the discovery of the security issue in the release notes and announcement of the security release.