Only the latest published release and the main branch — where development takes place — are considered currently supported code.

We only support the latest published, stable Joomla version in the 3.x and 4.0 version ranges. We do not support Joomla alphas, betas or release candidates (testing releases). If a security issue only occurs with a testing release we will consider it but we cannot promise a rapid resolution.

Please DO NOT file a GitHub issue in the clear about security issues. GitHub issues are public. Filing an issue about a security issue puts all users, you included, in immediate danger.

Please use this page to encrypt your message with my GPG key and send it to me via the contact form on my site.

Please include instructions to reproduce the security issue. Better yet, please include Proof Of Concept code if applicable.

We aim to reply within a business week (5 working days excluding bank holidays). We request a period of 60 to 90 calendar days from the time we receive adequate information to reproduce the issue before public disclosure so we have time to address the security issue, publish a new version and make sure everyone is updated.

As a very small business we do not have the resources to support a bug bounty program. We are also too small to be a CVE issuing authority.

We appreciate the time you put into security research and the time you spend contacting small businesses like ours with your findings. We will publicly acknowledge your security report and credit you with your discovery when making our release. You will have our and our users' gratitude for your hard work!