Skip to main content

Security & Vulnerability disclosure

Revised on 30 June 2026

1. Our commitment

This Security & Vulnerability Disclosure is currently available in English only. If you need a translation or have questions about its contents, please contact us through our contact form. This page explains how NorrNext manages security for its Joomla extensions, how to report a vulnerability, and what you can expect from us when a security issue is disclosed. Our Security Commitment Security is a fundamental responsibility for us as a software vendor. Our extensions are used on thousands of Joomla websites, and we are committed to handling security issues in a timely, transparent, and professional manner. In accordance with the EU Cyber Resilience Act (Regulation 2024/2847), we maintain a documented vulnerability management process, provide free security updates during the supported lifetime of our products, and cooperate with the National Cybersecurity Center (NCC) / CERT.LV when reporting obligations apply.

2. CRA obligations

If a security release is published, all valid license holders receive temporary download access for 30 days, even if their subscription has expired.

Who Is Covered? Our legal obligations under the CRA arise because NorrNext is an EU-based manufacturer placing products on the EU market. However, the practical protections we provide — including free security updates, a public vulnerability disclosure process, and a five-year support period — apply to all license holders worldwide. If you purchased a license from NorrNext, our security update commitment applies to you regardless of your country of residence.

2.1. Outside the European Union?

If you hold a valid NorrNext license, you receive the same security update commitment regardless of where you are located. While the EU Cyber Resilience Act provides the legal framework for our security obligations, our security policies and update commitments apply equally to all license holders worldwide.

3. Agencies and Client Installations

Many customers are agencies or developers who install our extensions on websites belonging to their clients. In these cases, the agency is usually the license holder, while the end client does not have a direct commercial relationship with NorrNext. Security updates are provided to the license holder, and it is the agency's responsibility to deploy those updates to the websites it manages.

4. End clients

If your website uses one of our extensions but you do not hold a license directly with us, please contact the agency or developer who built your site to confirm that security updates are being applied. Alternatively, you may purchase a license directly from NorrNext to obtain independent access to updates and support.

5. Product licenses

Our extensions are licensed under GNU GPL v3.0 and the NorrNext Proprietary Use License (v1.0). The GPL permits recipients of the software to use, modify, and redistribute it. However, receiving a copy of the software does not automatically create a commercial relationship with NorrNext or entitle any party to updates, security fixes, or support services. Updates, security fixes, and support are available only to registered license holders with an active or otherwise eligible account.

6. Template Overrides and Security Releases

Joomla allows site owners to customize extension output through template overrides stored in the active template directory. These override files are not modified by Joomla's update system. If a security release changes a layout file and your site contains an override for that file, the override must be reviewed and updated manually. Otherwise, the security fix may not take effect even though the extension has been updated.

Each security release notes any changed layout files in the changelog. If you use template overrides, check the changelog carefully and update the corresponding override files when necessary.

Overrides are typically located in: /templates/your-template/html/

7. Supported Platforms

We follow an N / N-1 support policy for both Joomla and WordPress, meaning the current major version and the previous major version receive active support. Security updates are developed and tested against the latest supported releases. Installations running on end-of-life platforms cannot be actively maintained, and we strongly recommend upgrading to a supported version.
PlatformEnd of SupportStatus
Joomla 6 (N)
Active Support:
17 Oct 2028
Security Support:
16 Oct 2029
Supported
Primary target platform
Joomla 5 (N-1)
Active Support:
13 Oct 2026
Security Support:
12 Oct 2027
Supported
Supported until Joomla 5 EOL
Joomla 4
Active Support:
15 Oct 2024
Security Support:
14 Oct 2025
Not Supported
EOL reached; upgrade
Joomla 3
Active Support:
17 Aug 2021
Security Support:
17 Aug 2023
Not Supported
No security patches available
PHP versionEnd of SupportStatus
8.5
Active Support:
31 Dec 2027
Security Support:
31 Dec 2029
Supported
8.4
Active Support:
31 Dec 2026
Security Support:
31 Dec 2028
Supported
Recommended Joomla 6
8.3
Active Support:
31 Dec 2025
Security Support:
31 Dec 2027
Supported
Minimum Joomla 6
Recommended Joomla 5
8.2
Active Support:
31 Dec 2024
Security Support:
31 Dec 2026
Supported
8.1
Active Support:
31 Dec 2023
Security Support:
31 Dec 2025
Supported
8.0
Active Support:
EOL
Security Support:
EOL
Not Supported

8. Report a Security Vulnerability

If you believe you have discovered a security vulnerability in one of our extensions, we encourage you to report it to us as soon as possible. We ask that you follow the principles of responsible disclosure and refrain from publicly disclosing the issue until we have had sufficient time to investigate, develop, and release a security fix.

8.1. Our Commitment

We follow a coordinated vulnerability disclosure process and will:

  • Acknowledge receipt of your report within 48 hours.
  • Investigate and validate the reported issue as quickly as possible.
  • Keep you informed of significant progress during the investigation.
  • Notify you once a fix has been released.
  • Credit your contribution in the release notes, with your permission.

8.2. What to Include

Providing complete information helps us reproduce and resolve the issue more efficiently. Please include:

  • The affected NorrNext extension and its version.
  • The Joomla and PHP versions used by the affected installation.
  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue.
  • Proof-of-concept code, screenshots, or other supporting material where appropriate.
Ready to submit a report?

Please use our contact form to report a security vulnerability. Reports are handled confidentially and reviewed by our development team.

9. Our Response Process

Every reported vulnerability follows a documented response process that includes validation, severity assessment, remediation, testing, coordinated disclosure, and public notification where appropriate.

PeriodDetails
within 48 h
Acknowledgement

We confirm receipt of your report and assign it an internal tracking number.

within 7 days
Initial assessment

We reproduce and assess the severity of the issue and keep you informed of our findings.

patch ready
Fix & coordinated release

We develop and test a fix, then agree a release date with you. All license holders are notified by email on the day of release.

within 14 days of patch
Public disclosure

We publish full details of the vulnerability, its severity, and the fix in the release notes, including credit to the reporter (with consent)

Where required by the EU Cyber Resilience Act (Regulation (EU) 2024/2847), NorrNext will report actively exploited vulnerabilities to the National Cybersecurity Centre (CERT.LV) within the applicable regulatory timeframe. Beginning 11 September 2026, this notification must be made within 24 hours of becoming aware that a vulnerability is being actively exploited.

This reporting obligation applies only to vulnerabilities that meet the reporting criteria defined by the Cyber Resilience Act. Not every disclosed security issue requires notification to the national cybersecurity authority.

10. EU Cyber Resilience Act Compliance

All NorrNext extensions are classified as Products with Digital Elements (PDEs) under the EU Cyber Resilience Act (Regulation (EU) 2024/2847). As the manufacturer, NorrNext performs the required conformity assessment for each extension in accordance with Article 32(1) of the Regulation.

To demonstrate compliance, we maintain comprehensive technical documentation for every supported product, including:

  • A documented cybersecurity risk assessment.
  • Technical documentation supporting regulatory compliance.
  • A Software Bill of Materials (SBOM).
  • A documented vulnerability management and incident response process.

Each extension is released with a CE marking and a corresponding EU Declaration of Conformity, confirming that the product meets the applicable requirements of the Cyber Resilience Act.

10.1. Declaration of Conformity

The EU Declaration of Conformity for each extension is available on its individual product page together with the applicable support period and compliance information. Look for the Compliance & Support section.