Security & Vulnerability Disclosure
This page explains how we handle security in our Joomla extensions, how to report a vulnerability if you find one, and what you can expect from us when you do.
This page is available in English only. If you have questions about its content, contact us through the contact form.
Our commitment
Our extensions run on production websites that real businesses depend on. A security flaw in our code is a flaw in their site, so we treat security reports as a priority, not as a side task.
When a security issue is confirmed, we fix it and ship a release as quickly as we reasonably can. We keep the reporter informed along the way, and we are open about what was wrong and what we changed once the fix is out.
Supported platforms
We can only guarantee security fixes for platform versions that still receive support from their own maintainers. Once Joomla or PHP stops patching a version, we cannot patch the gap underneath our extension either.
For Joomla we follow an N / N-1 policy: the current major version and the one before it receive active support. Security releases are always built against the latest supported version.
Joomla
| Version | End of bug fix support | End of security support | Joomill support |
|---|---|---|---|
| Joomla 6 | 17 Oct 2028 | 16 Oct 2029 | Supported. Primary target platform. |
| Joomla 5 | 13 Oct 2026 | 12 Oct 2027 | Supported until Joomla 5 reaches end of life. |
| Joomla 4 | 15 Oct 2024 | 14 Oct 2025 | Not supported. End of life reached, please upgrade. |
| Joomla 3 | 17 Aug 2021 | 17 Aug 2023 | Not supported. No security patches available. |
PHP
| Version | End of active support | End of security support | Joomill support |
|---|---|---|---|
| PHP 8.5 | 31 Dec 2027 | 31 Dec 2029 | Supported. |
| PHP 8.4 | 31 Dec 2026 | 31 Dec 2028 | Supported. Recommended for Joomla 6. |
| PHP 8.3 | 31 Dec 2025 | 31 Dec 2027 | Supported. |
| PHP 8.2 | 31 Dec 2024 | 31 Dec 2026 | Supported. |
| PHP 8.1 | 31 Dec 2023 | 31 Dec 2025 | Supported. |
| PHP 8.0 and lower | End of life | End of life | Not supported. |
If your site runs on a version listed as not supported, we strongly recommend upgrading. We are happy to help you check whether your extensions are ready for the move.
Report a vulnerability
If you believe you have found a security vulnerability in one of our extensions, we want to hear about it. We ask you to report it responsibly: please do not disclose the issue publicly before we have had the chance to investigate and ship a fix.
This is coordinated disclosure. In return, we acknowledge your report quickly, keep you posted on our progress, and credit you in the release notes when the fix ships, if you want to be credited.
To help us act fast, please include:
- The extension name and version number
- The Joomla and PHP version of the affected installation
- A clear description of the vulnerability and what an attacker could do with it
- Step by step instructions to reproduce the issue
- Any proof of concept code or screenshots, if you have them
Report a security vulnerability through the contact form on this website. Please mark your message clearly as a security report so it does not get lost among regular support requests.
Our response process
Once we receive a report, we work through a fixed set of steps so you always know where things stand.
Acknowledgement, within 2 business days. We confirm that your report arrived and give it an internal tracking reference.
Initial assessment, within 7 business days. We try to reproduce the issue, judge how serious it is, and share what we found with you.
Fix and coordinated release. We develop and test a fix, then agree a release date with you. License holders are notified by email on the day the release goes out.
Public disclosure, within 30 days of the fix being released. We publish the details of the vulnerability, its severity, and the fix in the release notes, including credit to the reporter if consent was given.
The timelines above are targets, not contractual guarantees. Joomill Extensions is a small operation, so a report that lands during a holiday may take a little longer to acknowledge. If the issue is serious, we always prioritise it over everything else.
EU Cyber Resilience Act
The EU Cyber Resilience Act (Regulation 2024/2847) introduces security obligations for products with digital elements sold in the EU. Its reporting duty for actively exploited vulnerabilities applies from 11 September 2026, and the full set of manufacturer obligations applies from 11 December 2027.
We are working towards compliance with the CRA for our extensions. This means we are building out our vulnerability response process, our technical documentation, and our software inventory so that we meet the requirements in time.
We will update this page as our CRA preparations progress. If you have specific questions about how the CRA affects a product you use, contact us through the contact form.