Skip to content

Reporting a Security Vulnerability


CiviCRM Core Team and Security Team are responsible for fixing reported security issues within supported CiviCRM versions. Security releases will only be made for those versions with active CiviCRM support, at which point Security Advisories will be issued.

Release Timing.

CiviCRM maintains two security release windows, they are the first and third Wednesday of every month US/PDT Timezone. Having a release window doesn't mean that a release will occur, but it does allow for site administrators to be conscious of when there may be a security update.

Reporting a Security bug

CiviCRM maintains an email address as the primary mechanism for reporting security issues. When you report an issue, please include all possible information that would help the Security Team replicate and help solve the issue. Unless you request anonymity, you will be credited for your role in reporting the issue as well as any other roles you take in resolving it.

Security Policy

CiviCRM has a publicly available Security Policy which details these points and goes into some further detail around our security practices.