TYPO3 Association Board Meeting Protocol (27 May 2026)
Topics included international growth, security initiatives, and stronger community structures. The Board also reviewed the General Assembly protocol and measures to strengthen trust, transparency, and security across the TYPO3 ecosystem.
Attendance
- Olivier Dobberkau (President)
- Stefan Busemann (Treasurer)
- Martin Helmich (Secretary)
- Jana Höffner (Member of the Board)
- Jochen Weiland (Member of the Board)
- Thomas Maroschik (Member of the Board)
- Daniel Fau (CEO, TYPO3 GmbH)
- Frank Nägler (CTO, TYPO3 GmbH)
- Mathias Bolt Lesniak (Project Ambassador)
- Rachel Foucard (Compliance Officer)
1 — Report by Mathias Bolt Lesniak
He reported about opportunities in Sweden, the United States of America and other countries. He was highlighting a strong interest in the USA in moving away from proprietary systems toward open-source platforms. He specifically mentioned North Dakota, a state with just 250,000 inhabitants, and vendor lock-in issues. The TYPO3 Expansion Committee’s focus on building local business ecosystems can align well with current American political sentiments.
2 — Protocol of the 2026 General Assembly
The protocol has been finally revised and is now ready for publication. It should be published within the next week.
3 — Decision on Ombudsperson External Mediation
Rachel Foucard presented a proposal for an external ombudsperson for 2026, aimed at establishing a neutral, external point of contact to remove barriers and rebuild trust.
The proposal involves a pilot phase throughout 2026 — starting in June — to collect data on conflict types, which would inform the structure for 2027. Rachel Foucard suggested potentially holding office hours with the contract or during the developer days.
She contacted two different contractors and asked for a bidding. The members of the board will now decide which potential contractor has the best and most economical offer.
4 — Discussion About Participation in the Alpha-Omega / Mythos Security Scanning Initiative
The Board discussed the Associations (potential) participation in the Alpha-Omega and/or Mythos Preview initiative. Frank Nägler provided an update on security scanning for the core, noting that the Security Team is already in contact with the PHP Foundation.
Access was already applied for both the TYPO3 GmbH and the Security Team. He confirmed that a one-time scan would be conducted without disclosure requirements or pressure to fix issues immediately.
5 — Establish Policies to Provide Possible Supply-Chain-Attacks Through Extensions
Olivier Dobberkau raised concerns about the lack of guardrails for publishing extensions, especially when they change ownership and proposed establishing a formal request for comments process. Martin Helmich and Mathias Bolt Lesniak suggested utilizing the existing policy repository to handle these procedures pragmatically.
Background
In early April 2026, Austin Ginder of Anchor Hosting revealed that a buyer had acquired a portfolio of more than thirty WordPress plugins for a six-figure sum via the Flippa platform in early 2025. In August 2025, a backdoor was planted in version 2.6.7, disguised as a compatibility update. The code remained inactive for eight months. In April 2026, it activated and began delivering SEO spam, visible only to Googlebot. Twenty thousand active installations were affected. WordPress.org permanently disabled all of the author’s plugins on 7 April and distributed a forced auto-update that deactivates the phone-home functions but leaves the module in the code.
- XZ Utils backdoor on Wikipedia
6 — Dialog Day 2026
The Board is planning a separate Dialogue Day on 14 July 2026 at the TYPO3 GmbH’s head office in Düsseldorf, Germany. This Dialogue Day is especially for team leads, Core Team members, and significant opinion leaders within the community.
The board agreed that for the Dialogue Day, one person per team could seek reimbursement from their respective team budget, with any exceptions to be handled on a case-by-case basis.
Invitations will be sent out shortly.
7 — Surfcamp 2027
The board discussed the continuation of the successful Surfcamp series in 2027. All board members were keen to continue this kind of promotion of young talent.
Stefan Busemann proposes creating a decision paper for the next meeting, provided there is no opposition to the item. This document will include an analysis of the concrete financial impact.