The Project

Changes to the TYPO3 Bug Bounty Program

19 May 2026

Extension security reporting continues — financial rewards for extension findings will end on 31 May 2026.

Oliver Hader
Oliver Hader

Key Takeaways

Financial rewards for extension vulnerability reports end on 31 May 2026.
Reports submitted before 31 May 2026 are still eligible under the current terms.
Extension security reporting remains open — the TYPO3 Security Team continues to review, coordinate, and publish advisories.
The Bug Bounty Program continues for Core, infrastructure, and server.

What's Changing and Why

As vulnerability reporting practices evolve across the open-source ecosystem, the TYPO3 Security Team is refining the scope of its Bug Bounty Program. Going forward, financial rewards will be limited to findings in TYPO3 Core and infrastructure — the areas centrally maintained and with the highest system-wide impact.

The TYPO3 extension ecosystem is large and diverse, and the quality and maintenance level of individual extensions varies considerably. As reporting volumes have grown, sustaining meaningful review capacity across third-party extensions — each with its own maintainer — has become increasingly difficult to reconcile with the time and focus that Core security demands.

A security process is only effective when reports can be reviewed thoroughly, prioritized correctly, and addressed where they matter most. Concentrating the reward program on Core and infrastructure reflects that commitment.

What Stays the Same

✅ Extension vulnerability reporting via the Responsible Disclosure process

✅ Security Team review, coordination with maintainers, and security advisories

✅ Bug Bounty rewards for Core, infrastructure, and server findings

What Ends

❌ Financial rewards for extension vulnerability reports after 31 May 2026

An Invitation

If you've been contributing extension findings, your skills and attention to detail are genuinely valued. TYPO3 Core is where that energy has the broadest reach — every finding affects every installation in the ecosystem, and the Bug Bounty Program remains fully in place there. If you haven't looked at Core security yet, now is a good time to start.

Further details on the scope and process are available here.

Questions? Reach out at security@typo3.org.

Share this article

About the Author

Oliver Hader

Core Developer at TYPO3 GmbH,Hof, Germany

Website Twitter LinkedIn Xing

Oliver arbeitet seit 2005 mit TYPO3 und war von dem Produkt und seinem Ökosystem sofort fasziniert. Seit 2007 ist er Mitglied des TYPO3 Core Teams. Nachdem er 2014 an die Universität zurückkehrte, um einen postgradualen Masterabschluss in Internet Web Science zu erwerben, forscht er heute zu fortgeschrittenen Webtechnologien im Allgemeinen und zu TYPO3 im Besonderen.

In seiner Freizeit fährt Oliver gerne Cross-Country-Rad in den Mittelgebirgslandschaften rund um Hof in Nordbayern – der Region, in der er auch lebt.

About the Author

Oliver Hader

Core Developer at TYPO3 GmbH,Hof, Germany

Website Twitter LinkedIn Xing

Oliver started to work with TYPO3 in 2005 and was fascinated by the product and its universe. Since 2007 he is member of the TYPO3 Core Team. After going back to university in 2014 for achieving a postgraduate master degree in internet web science, he is now researching on advanced web technology topics in general and for TYPO3 in particular.

In his spare time, Oliver loves to go cycling cross-country in the uplands around Hof (Germany) in northern Bavaria - at the region where he's living as well.

Key Takeaways

What's Changing and Why

What Stays the Same

What Ends

An Invitation

In this article

Share this article