Security & Vulnerability disclosure
1. Our commitment
This Security & Vulnerability Disclosure is currently available in English only. If you need a translation or have questions about its contents, please contact us through our contact form. This page explains how NorrNext manages security for its Joomla extensions, how to report a vulnerability, and what you can expect from us when a security issue is disclosed. Our Security Commitment Security is a fundamental responsibility for us as a software vendor. Our extensions are used on thousands of Joomla websites, and we are committed to handling security issues in a timely, transparent, and professional manner. In accordance with the EU Cyber Resilience Act (Regulation 2024/2847), we maintain a documented vulnerability management process, provide free security updates during the supported lifetime of our products, and cooperate with the National Cybersecurity Center (NCC) / CERT.LV when reporting obligations apply.
2. CRA obligations
If a security release is published, all valid license holders receive temporary download access for 30 days, even if their subscription has expired.
Who Is Covered? Our legal obligations under the CRA arise because NorrNext is an EU-based manufacturer placing products on the EU market. However, the practical protections we provide — including free security updates, a public vulnerability disclosure process, and a five-year support period — apply to all license holders worldwide. If you purchased a license from NorrNext, our security update commitment applies to you regardless of your country of residence.
2.1. Outside the European Union?
3. Agencies and Client Installations
4. End clients
5. Product licenses
Our extensions are licensed under GNU GPL v3.0 and the NorrNext Proprietary Use License (v1.0). The GPL permits recipients of the software to use, modify, and redistribute it. However, receiving a copy of the software does not automatically create a commercial relationship with NorrNext or entitle any party to updates, security fixes, or support services. Updates, security fixes, and support are available only to registered license holders with an active or otherwise eligible account.
6. Template Overrides and Security Releases
Joomla allows site owners to customize extension output through template overrides stored in the active template directory. These override files are not modified by Joomla's update system. If a security release changes a layout file and your site contains an override for that file, the override must be reviewed and updated manually. Otherwise, the security fix may not take effect even though the extension has been updated.
Each security release notes any changed layout files in the changelog. If you use template overrides, check the changelog carefully and update the corresponding override files when necessary.
Overrides are typically located in: /templates/your-template/html/
7. Supported Platforms
| Platform | End of Support | Status |
|---|---|---|
Joomla 6 (N) | Active Support:
17 Oct 2028
Security Support:
16 Oct 2029
| Supported Primary target platform |
Joomla 5 (N-1) | Active Support:
13 Oct 2026
Security Support:
12 Oct 2027
| Supported Supported until Joomla 5 EOL |
Joomla 4 | Active Support:
15 Oct 2024
Security Support:
14 Oct 2025
| Not Supported EOL reached; upgrade |
Joomla 3 | Active Support:
17 Aug 2021
Security Support:
17 Aug 2023
| Not Supported No security patches available |
| PHP version | End of Support | Status |
|---|---|---|
8.5 | Active Support:
31 Dec 2027
Security Support:
31 Dec 2029
| Supported |
8.4 | Active Support:
31 Dec 2026
Security Support:
31 Dec 2028
| Supported Recommended Joomla 6 |
8.3 | Active Support:
31 Dec 2025
Security Support:
31 Dec 2027
| Supported Minimum Joomla 6 Recommended Joomla 5 |
8.2 | Active Support:
31 Dec 2024
Security Support:
31 Dec 2026
| Supported |
8.1 | Active Support:
31 Dec 2023
Security Support:
31 Dec 2025
| Supported |
8.0 | Active Support:
EOL
Security Support:
EOL
| Not Supported |
8. Report a Security Vulnerability
If you believe you have discovered a security vulnerability in one of our extensions, we encourage you to report it to us as soon as possible. We ask that you follow the principles of responsible disclosure and refrain from publicly disclosing the issue until we have had sufficient time to investigate, develop, and release a security fix.
8.1. Our Commitment
We follow a coordinated vulnerability disclosure process and will:
-
Acknowledge receipt of your report within 48 hours.
-
Investigate and validate the reported issue as quickly as possible.
-
Keep you informed of significant progress during the investigation.
-
Notify you once a fix has been released.
-
Credit your contribution in the release notes, with your permission.
8.2. What to Include
Providing complete information helps us reproduce and resolve the issue more efficiently. Please include:
-
The affected NorrNext extension and its version.
-
The Joomla and PHP versions used by the affected installation.
-
A clear description of the vulnerability and its potential impact.
-
Step-by-step instructions to reproduce the issue.
-
Proof-of-concept code, screenshots, or other supporting material where appropriate.
Please use our contact form to report a security vulnerability. Reports are handled confidentially and reviewed by our development team.
9. Our Response Process
Every reported vulnerability follows a documented response process that includes validation, severity assessment, remediation, testing, coordinated disclosure, and public notification where appropriate.
| Period | Details |
|---|---|
within 48 h | Acknowledgement
We confirm receipt of your report and assign it an internal tracking number. |
within 7 days |
Initial assessment
We reproduce and assess the severity of the issue and keep you informed of our findings. |
patch ready |
Fix & coordinated release
We develop and test a fix, then agree a release date with you. All license holders are notified by email on the day of release. |
within 14 days of patch |
Public disclosure
We publish full details of the vulnerability, its severity, and the fix in the release notes, including credit to the reporter (with consent) |
Where required by the EU Cyber Resilience Act (Regulation (EU) 2024/2847), NorrNext will report actively exploited vulnerabilities to the National Cybersecurity Centre (CERT.LV) within the applicable regulatory timeframe. Beginning 11 September 2026, this notification must be made within 24 hours of becoming aware that a vulnerability is being actively exploited.
This reporting obligation applies only to vulnerabilities that meet the reporting criteria defined by the Cyber Resilience Act. Not every disclosed security issue requires notification to the national cybersecurity authority.
10. EU Cyber Resilience Act Compliance
All NorrNext extensions are classified as Products with Digital Elements (PDEs) under the EU Cyber Resilience Act (Regulation (EU) 2024/2847). As the manufacturer, NorrNext performs the required conformity assessment for each extension in accordance with Article 32(1) of the Regulation.
To demonstrate compliance, we maintain comprehensive technical documentation for every supported product, including:
- A documented cybersecurity risk assessment.
- Technical documentation supporting regulatory compliance.
- A Software Bill of Materials (SBOM).
- A documented vulnerability management and incident response process.
Each extension is released with a CE marking and a corresponding EU Declaration of Conformity, confirming that the product meets the applicable requirements of the Cyber Resilience Act.
10.1. Declaration of Conformity
The EU Declaration of Conformity for each extension is available on its individual product page together with the applicable support period and compliance information. Look for the Compliance & Support section.