Security is taken very seriously by the developers of TYPO3. The visible part of that concern is the TYPO3 Security Team.
And it seems they are doing a good job. As TYPO3-user Michael Shigorin told us: "For us, one major reason to choose TYPO3 was the virtually blank bugtraq trail with significant usage numbers." Go ahead, search bugtraq and see for yourself...
TYPO3 core security updates, extension security updates or unmaintained insecure extensions are announced in form of TYPO3 Security Bulletins. We notify the TYPO3 community about the release of new bulletins via different channels:
To get the bulletin notification delivered to your inbox, we strongly recommend to subscribe to the typo3-announce mailing list. Besides that, you may also consider to subscribe to the security news feed at typo3.org. The feed is available in different formats (RSS 2.0 and RSS 0.91).
If you have found a security issue in a TYPO3 extension or the TYPO3 core system, please report it to us. If you want to know how we deal with security issues, have a look at this page explaining our policy on such matters.
The TYPO3 Security Team has been founded in 2004. Real-life meetings mainly take place during the TYPO3 Snowboard Tour. If you are interested in contributing, please contact us.
Vulnerabilities that affect TYPO3 admins (BE user) and TYPO3 Install Tool as part of the standard Core Review Process. This means such vulnerabilities are treated as bugs and working on them is visible for everyone. The reason for this change is that using the Install Tool and being a TYPO3 admin requires the highest priviledge in TYPO3 context. TYPO3 admins don't need to exploit vulnerabilities to do harm on an installation.
Therefore TYPO3 admins should always be carefully selected.