Security update policy

Plone's security team releases periodic updates containing fixes and security improvements typically found through code audits. Serious vulnerabilities, especially those reported by external researchers, are fixed as soon as possible.

In almost all situations, the security team pre-announces the release of a fix to ensure that site maintainers can allocate time to install a fix. Only in emergencies are updates released without advance warning.

Security fixes are usually provided as a hotfix package, an extra Python package that you add to your Plone instance. The next Plone bugfix release will contain the security fixes without needing the extra package.

Installing a Plone security update takes approximately 10 to 15 minutes, plus maybe time for extra checks. Applying these updates is a routine and expected part of Plone hosting and support services.

Backend and Classic UI version support

The Plone Security Team supports one major version (5, 6) of Plone for five years, with an overlap of two years where the previous major version is also supported.

Within a major release, only the latest minor release (5.2, 6.0) gets security support, with an overlap of one year where the previous minor version is also supported. Each minor Plone version gets at least two years of security support.

Currently, for Plone this means the 6.0.x series and the 5.2.x series have security support. And as long as you keep maintaining your Plone Site to stay on the latest Plone 6 minor release (currently 6.0), you will have security support until the end of 2027.

At its discretion, the Plone Security Team may make fixes available for versions that are no longer officially supported, if the extra effort is within reason.

Hotfixes may work on older versions of Plone, which will be indicated on the individual hotfix page. However, testing may have been less rigorous, and appearance of new hotfixes is not guaranteed for these older versions.

See the release schedule for details.