Security update policy

Plone's security team releases periodic updates containing fixes and security improvements typically found through code audits. Serious vulnerabilities, especially those reported by external researchers, are fixed as soon as possible.

In almost all situations, the security team pre-announces the release of a fix to ensure that site maintainers can allocate time to install a fix. Only in emergencies are updates released without advance warning.

Security fixes are usually provided as a hotfix package, an extra Python package that you add to your Plone instance. The next Plone bugfix release will contain the security fixes without needing the extra package.

Installing a Plone security update takes approximately 10 to 15 minutes, plus maybe time for extra checks. Applying these updates is a routine and expected part of Plone hosting and support services.

Backend and Classic UI version support

The Plone Security Team supports all minor versions of the current major release, and the last minor version of the previous major release. See the release schedule for details.

Currently, for Plone this means the 6.0.x series and the 5.2.x series have security support.

Hotfixes may work on older versions of Plone, which will be indicated on the individual hotfix page. However, testing may have been less rigorous, and appearance of new hotfixes is not guaranteed for these older versions.