Security update policy

Last major policy update: 2024-01-15.

Plone Security policy

Each major version gets security support for 5 years from the date of its release.

The security support for each minor version within one major version ends at the same date as the security support for the major version.

Only the latest patch release within a minor version gets security support. Security fixes may work on an older patch release, but we cannot guarantee this.

Practical

To report a security issue, please send an email to security@plone.org.

Plone 5.2 has security support until 2024-10-31, and Plone 6 has security support until 2027-12-31. Other versions are not supported.

Plone's security team releases updates to individual packages containing security fixes and improvements typically found through code audits. Serious vulnerabilities, especially those reported by external researchers, are fixed as soon as possible.

When a Plone minor version is in maintenance support, its next patch release will contain the security fixes without needing to override versions of packages.

Applying these updates is a routine and expected part of Plone hosting and support services.

In the past, the security team often provided fixes in the form of an extra hotfix package that you could add to your Plone instance. This is no longer done.

Also often a pre-announcement was made to ensure that site maintainers could allocate time to install a fix. This is also no longer done.

At its discretion, the Plone Security Team may make fixes available for versions that are no longer officially supported, if the extra effort is within reason.