How we handle security in our Joomla extensions, what to do if you find a vulnerability, and what you can expect from us in return.
Our commitment
Security is a core responsibility for us as a software publisher. Our extensions are installed on thousands of Joomla sites. We take that responsibility seriously and are committed to responding to security issues promptly and transparently.
In line with the EU Cyber Resilience Act (Regulation 2024/2847), we maintain a documented vulnerability response process, provide free security updates during the support period, and report actively exploited vulnerabilities to the Dutch NCSC when applicable.
Supported platforms
We follow a N / N-1 policy for Joomla: the current major version and the previous one receive active support. Security updates are always built against the latest supported release. Installations on end-of-life platforms cannot be actively maintained; we encourage customers on unsupported platforms to upgrade.
| Platform | End of Active Support | End of Security Support | OCH Support | Note |
|---|---|---|---|---|
| Joomla 6 (N) | 17 Oct 2028 | 16 Oct 2029 | Supported | Primary target platform |
| Joomla 5 (N-1) | 13 Oct 2026 | 12 Oct 2027 | Supported | Supported until Joomla 5 EOL |
| Joomla 4 | 15 Oct 2024 | 14 Oct 2025 | Not supported | EOL reached; upgrade |
| Joomla 3 | 17 Aug 2021 | 17 Aug 2023 | Not supported | No security patches available |
| PHP version | End of Active Support | End of Security Support | OCH Support | Note |
|---|---|---|---|---|
| 8.5 | 31 Dec 2027 | 31 Dec 2029 | Supported | |
| 8.4 | 31 Dec 2026 | 31 Dec 2028 | Supported | Recommended Joomla 6 |
| 8.3 | 31 Dec 2025 | 31 Dec 2027 | Supported | Minimum Joomla 6 Recommended Joomla 5 |
| 8.2 | 31 Dec 2024 | 31 Dec 2026 | Supported | |
| 8.1 | 31 Dec 2023 | 31 Dec 2025 | Supported | Minimum Joomla 5 |
| 8.0 and lower | EOL | EOL | Not supported |
Report a vulnerability
If you believe you have found a security vulnerability in one of our extensions, please let us know. We ask you to report responsibly: do not publicly disclose the issue before we have had the opportunity to investigate and release a fix.
What to include in your report:
- The extension name and version number
- Joomla and PHP version of the affected installation
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept code or screenshots (if applicable)
Report a security vulnerability via the contact form.
Our response process
Once we receive a report, we follow a structured response process:
| within 48 h |
Acknowledgement We confirm receipt of your report and assign it an internal tracking number. |
| within 7 days |
Initial assessment We reproduce and assess the severity of the issue and keep you informed of our findings. |
| patch ready |
Fix & coordinated release We develop and test a fix, then agree a release date with you. All license holders are notified by email on the day of release. |
| within 14 days of patch |
Public disclosure We publish full details of the vulnerability, its severity, and the fix in the release notes, including credit to the reporter (with consent) |
EU Cyber Resilience Act - conformity
All OnlineCommunityHub extensions are regular products with digital elements within the meaning of the EU Cyber Resilience Act (Regulation 2024/2847). As manufacturer, we perform a self-assessment conformity evaluation for each extension (Article 32(1) CRA).
This means we maintain a cybersecurity risk assessment, technical documentation, and a Software Bill of Materials (SBOM) for every extension we publish. Extensions are placed on the market with a CE marking and an accompanying EU Declaration of Conformity.