SuiteCRM Ltd is committed to the security of our software and the data of our users. We take all reports of security vulnerabilities seriously and appreciate the efforts of researchers who help us maintain a secure platform. Responsible disclosure is the foundation of a healthy security community, and we welcome researchers who report issues to us privately before making them public.
Please do not disclose security bugs publicly (including on social media, the forums, or public GitHub issues) until they have been handled and patched by the security team.
Vulnerability reports should only be submitted for actively supported versions of the software.
Please check the Supported Versions page for the current list of versions receiving security updates.
The following are in scope for vulnerability reports:
The SuiteCRM 7 and SuiteCRM 8+ core application code.
Authentication, authorisation, and session handling.
Data exposure or injection vulnerabilities (e.g. SQL injection, XSS, CSRF).
The following are out of scope:
Third-party plugins, themes, or integrations not maintained by SuiteCRM Ltd.
Vulnerabilities in self-hosted infrastructure or configuration choices made by the site administrator.
Issues only reproducible on unsupported versions.
Theoretical vulnerabilities without a working proof of concept.
If you have discovered a security risk within SuiteCRM, please report it via GitHub Security Advisories. This is our strongly preferred method as it is the most secure and efficient way for our team to track and resolve vulnerabilities.
SuiteCRM 7 & SuiteCRM 8+: If the issue exists in both versions or only SuiteCRM 7, please report it in the SuiteCRM repository.
SuiteCRM 8 Only: If the issue exists only within SuiteCRM 8+, please report it in the SuiteCRM-Core repository.
When reporting, please provide a detailed description of the flaw, including how it can be triggered and what impact it has. To prevent sensitive information from becoming public when a CVE is eventually released, please attach any Proof of Concept (PoC) materials as a comment on the advisory rather than including them in the main description.
If you are unable to use GitHub, you may email your report to the Security Team at security@suitecrm.com as a last resort.
To help our team assess your report quickly, please ensure it meets the following criteria:
| Criteria | Requirement |
|---|---|
Scope |
Include one issue per report. |
Verification |
The issue must have been verified by the reporter before submission. |
Reproduction |
Provide clear, step-by-step instructions to reproduce the issue or a working PoC script. |
Version Data |
Specify the exact version of SuiteCRM and the environment (e.g. PHP version, OS) where the issue was found. |
Support Status |
The reported version must be among our actively supported versions. |
Your report will be acknowledged within 72 hours during the business week (Monday – Friday), excluding UK National Holidays.
Reports are prioritised based on an initial assessment of severity. The time to fully assess a report depends on its complexity and the quality of the documentation provided. We aim to complete an initial assessment within 21 days of acknowledgement.
Once fully assessed, the reporter will be notified of:
The assigned Severity and Priority grading.
The anticipated plan for a fix to be released.
If a report is found to be invalid or out of scope, the reporter will be notified and given the option to create a standard public issue if applicable.
Security issues are resolved based on their impact. The time to resolution varies depending on the complexity of the fix and the release cycle. The reporter will be notified once the fix has been merged and a release date is scheduled.
We are grateful to the researchers who help keep SuiteCRM secure. Unless you wish to remain anonymous, reporters of valid, in-scope vulnerabilities will be credited by name in the release notes for the version that includes the fix.
Content is available under GNU Free Documentation License 1.3 or later unless otherwise noted.