Incident Handling of TYPO3 Core Issues

The TYPO3 Security Team has decided to partly handle TYPO3 Core Incidents publicly by the standard Core Review Process.

Last week, the TYPO3 Security Team was invited to the TYPO3 Code Sprint 2011 in Berlin. On behalf of the Security Team I'd like to say thanks for the invitation.

In one of our meetings we thought again about possibilities to reduce unnecessary workload of our team. In future, we will handle vulnerabilities that affect TYPO3 admins (BE user) and TYPO3 Install Tool as part of the standard Core Review Process. This means such vulnerabilities are treated as bugs and working on them is visible for everyone. The reason for this change is that using the Install Tool and being a TYPO3 admin requires the highest priviledge in TYPO3 context. TYPO3 admins don't need to exploit vulnerabilities to do harm on an installation.

Therefore TYPO3 admins should always be carefully selected.

To sum it up:
Please keep reporting any type of vulnerability to the TYPO3 Security Team. All vulnerabilities will be fixed. Only specific vulnerabilites will be treated different in regards to the fixing process.

---