How we handle security in our Joomla extensions, what to do if you find a vulnerability, and what you can expect from us in return.
Our commitment
Security is a core responsibility for us as a software publisher. Our extensions are installed on thousands of Joomla sites. We take that responsibility seriously and are committed to responding to security issues promptly and transparently.
In line with the EU Cyber Resilience Act (Regulation 2024/2847), we maintain a documented vulnerability response process, provide free security updates during the support period, and report actively exploited vulnerabilities to the Dutch NCSC when applicable.
Who benefits from our security commitments?
Our CRA obligations arise because we are an EU-based manufacturer placing products on the EU market. However, the security commitments we make, free security updates, a published vulnerability disclosure process, a five-year support period, apply to all our license holders, regardless of where in the world they are located. These protections are built into the product and the commercial relationship, not granted conditionally by geography.
Outside the EU?
If you purchased a license from us, our security update commitment applies to you in full. The CRA is the legal framework behind it, but the obligation runs to all license holders, not only those in EU member states.Agencies and indirect installations
Many of our extensions are purchased by agencies or developers who install them on websites belonging to their clients. In this model, the agency is the license holder, not the end client. The end client has no direct commercial relationship with OnlineCommunityHub and cannot independently access downloads, updates or support.
Security updates are available to the license holder (the agency). It is the agency's responsibility to apply those updates to the sites under their management. When an agency's maintenance contract with a client ends, either the agency or the client should ensure a valid license is in place to maintain access to future security updates.
End clients:
if your website runs one of our extensions but you do not hold a licence directly with us, contact the agency or developer who built your site to ensure security updates are being applied. Alternatively, purchase a licence directly to gain independent access to updates and support.GPL license and services
Our extensions are licensed under GNU GPL v2, which permits anyone who receives the software to use, modify and redistribute it. However, the GPL license does not entitle any party to receive updates, security fixes or support from OnlineCommunityHub. These services are available exclusively to registered license holders with an active or eligible account. Obtaining a copy of our software through third-party redistribution, resale of stolen download keys, or any other means does not create a commercial relationship with us or any entitlement to our services.
Template overrides and security releases
Joomla allows site owners and agencies to override extension layout files by placing modified copies in the active template directory. This is a standard Joomla feature used to customize how extensions are displayed without modifying core files.
OnlineCommunityHub has no visibility of, or control over, template overrides placed on customer installations. When we release a security update that changes a layout file, the corresponding template override on an installation is not automatically updated, Joomla's update mechanism does not touch files in the template directory.
If you use template overrides:
every security release we publish explicitly lists which layout files have changed in the changelog. If you have an override for any of those files, you must review and update your override to incorporate the security fix. Failing to do so may leave your site exposed even though the extension itself has been updated.When reviewing a (security) release, check the changelog for a "Layout files changed" notice. If you are unsure whether your installation has relevant overrides, check your template directory under /templates/[your-template]/html/ for any folders matching our extension names.
Supported platforms
We follow a N / N-1 policy for Joomla: the current major version and the previous one receive active support. Security updates are always built against the latest supported release. Installations on end-of-life platforms cannot be actively maintained; we encourage customers on unsupported platforms to upgrade.
| Platform | End of Active Support | End of Security Support | OCH Support | Note |
|---|---|---|---|---|
| Joomla 6 (N) | 17 Oct 2028 | 16 Oct 2029 | Supported | Primary target platform |
| Joomla 5 (N-1) | 13 Oct 2026 | 12 Oct 2027 | Supported | Supported until Joomla 5 EOL |
| Joomla 4 | 15 Oct 2024 | 14 Oct 2025 | Not supported | EOL reached; upgrade |
| Joomla 3 | 17 Aug 2021 | 17 Aug 2023 | Not supported | No security patches available |
| PHP version | End of Active Support | End of Security Support | OCH Support | Note |
|---|---|---|---|---|
| 8.5 | 31 Dec 2027 | 31 Dec 2029 | Supported | |
| 8.4 | 31 Dec 2026 | 31 Dec 2028 | Supported | Recommended Joomla 6 |
| 8.3 | 31 Dec 2025 | 31 Dec 2027 | Supported | Minimum Joomla 6 Recommended Joomla 5 |
| 8.2 | 31 Dec 2024 | 31 Dec 2026 | Supported | |
| 8.1 | 31 Dec 2023 | 31 Dec 2025 | Supported | Minimum Joomla 5 |
| 8.0 and lower | EOL | EOL | Not supported |
Report a vulnerability
If you believe you have found a security vulnerability in one of our extensions, please let us know. We ask you to report responsibly: do not publicly disclose the issue before we have had the opportunity to investigate and release a fix.
What to include in your report:
- The extension name and version number
- Joomla and PHP version of the affected installation
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept code or screenshots (if applicable)
Report a security vulnerability via the contact form.
Our response process
Once we receive a report, we follow a structured response process:
| within 48 h |
Acknowledgement We confirm receipt of your report and assign it an internal tracking number. |
| within 7 days |
Initial assessment We reproduce and assess the severity of the issue and keep you informed of our findings. |
| patch ready |
Fix & coordinated release We develop and test a fix, then agree a release date with you. All license holders are notified by email on the day of release. |
| within 14 days of patch |
Public disclosure We publish full details of the vulnerability, its severity, and the fix in the release notes, including credit to the reporter (with consent) |
EU Cyber Resilience Act - conformity
All OnlineCommunityHub extensions are regular products with digital elements within the meaning of the EU Cyber Resilience Act (Regulation 2024/2847). As manufacturer, we perform a self-assessment conformity evaluation for each extension (Article 32(1) CRA).
This means we maintain a cybersecurity risk assessment, technical documentation, and a Software Bill of Materials (SBOM) for every extension we publish. Extensions are placed on the market with a CE marking and an accompanying EU Declaration of Conformity.