SuiteCRM Ltd is committed to the security of our software and the data of our users. We take all reports of security vulnerabilities seriously and appreciate the efforts of researchers who help us maintain a secure platform.
Vulnerability reports should only be submitted for actively supported versions of the software.
Please check the Supported Versions page for the current list of versions receiving security updates.
If you have discovered a security risk within SuiteCRM, we advise that you report it via the GitHub Security Advisories section of the relevant repository. This is the most secure and efficient method for our team to track and resolve the issue.
When reporting via GitHub, please provide a detailed description of the flaw and attach any Proof of Concept (POC) materials directly to the advisory.
Alternatively, you can email your report to the Security Team at security@suitecrm.com.
Please do not disclose security bugs publicly (including on social media, the forums, or public GitHub issues) until they have been handled and patched by the security team.
To help our team assess your report quickly, please ensure it meets the following criteria:
Scope: Include one issue per report (or a maximum of three if they are directly related).
Verification: The issues must have been verified by the reporter before submission.
Reproduction: Provide clear, step-by-step instructions to reproduce the issue or a working POC script.
Version Data: Specify the exact version of SuiteCRM and the environment (e.g., PHP version, OS) where the issue was found.
Support Status: The reported version must be among our actively supported versions.
Your report will be acknowledged within 72 hours during the business week (Monday – Friday), excluding UK National Holidays.
Reports are prioritised based on an initial assessment of severity. The time to fully assess a report depends on its complexity and the quality of the documentation provided.
Once fully assessed, the reporter will be notified of:
The assigned Severity and Priority grading.
The anticipated plan for a fix to be released.
If a report is found to be invalid or out of scope, the reporter will be notified and given the option to create a standard public issue if applicable.
Security issues are resolved based on their impact. The time to resolution varies depending on the complexity of the fix and the release cycle. The reporter will be notified once the fix has been merged and a release date is scheduled.
Content is available under GNU Free Documentation License 1.3 or later unless otherwise noted.