Joomla! World Conference 2026

You may have read about it in the official announcement: Joomla has been authorized as a CVE Numbering Authority. But what is this, you might wonder, why is it such a big deal, and what does it mean to the average Joomla user?

CVE means Common Vulnerabilities and Exposures. It’s a huge international, community-driven open database containing information about vulnerabilities in computer systems and networks. Each entry in the database has its own unique ID.

Every new vulnerability that is reported, is checked before it becomes publicly available. It gets a “reserved” status in the database until it has been investigated. So when a vulnerability in Joomla is found, it gets reported, receives an ID, is marked as reserved, and Joomla can decide to fix it and/or provide public announcements about it.

Who assigns these IDs?

Worldwide, until recently, there were 145 organisations (in 25 countries) who were authorized to assign these IDs to vulnerabilities and thus provide them to researchers, vulnerability disclosers and information technology vendors, and eventually make them visible to the public. These organisations are called CVE Numbering Authorities (CNA’s).

As you probably guessed by now, since mid November 2020, there are 146 CNA’s: Joomla has been authorized as well. This means we can assign these numbers ourselves, choose to publicly disclose a vulnerability with an already assigned CVE ID and, basically, control the disclosure of vulnerability information.

Why is that important?

In the past, false security issues have been registered with the CVE by people or organisations not related to Joomla, this was done for instance by re-registering vulnerabilities that were fixed long ago. In several cases this resulted in inaccurate blog posts from organisations or individuals, even from authorities on security issues, claiming that Joomla is insecure, which, as you all know, is not true. Joomla is one of the safest content management systems available.

From now on, only Joomla itself (the Joomla Security Strike Team) is allowed to register vulnerability issues and assign a CVE ID for issues related to Joomla. And the JSST are the only ones authorized to create a new number for a new security issue we want to publish. This means our awesome JSST can work more closely with the international security community to make Joomla even more secure. And not just Joomla: extensions as well!

And what does this mean for me?

As a Joomla user, you are used to working with a stable, very secure and super safe CMS that enables you to create beautiful websites and powerful online applications. You probably already knew that Joomla is the best choice when you’re looking for a search engine and mobile friendly, multilingual, flexible and extensible open source CMS.

The big news is: that won’t change at all... except of course that “safe” just got safer.

About the author

Before I got my current job as Coordinator Communications & Digital, I ran my own company for 25 years. The first 15 years I was a writer / editor / journalist / writing coach, but then I created my first website with Joomla... and I was hooked. I switched careers and became a website developer. My current job combines these two skills, so that's a win-win 🙂 

Anja's Holopin board

Why I contribute to Joomla

To many people Joomla is just a tool. But if you look a little closer, you'll notice it's much more than that. It's a living system, raised and nourished by a community of volunteers dedicating their time to make it the best CMS ever. Without volunteers, Joomla wouldn't exist. It's not 'just a product'. Everyone who uses Joomla, can do so because someone, somewhere, contributed to it. I want to give back to the community that keeps Joomla alive.

And, probably needless to say: I love being part of that community. 

Contributing to Joomla by volunteering brought me so much: valuable experience, more knowledge and a better understanding of Joomla and its community, and the opportunity to work together with a crowd of lovely people all over the world.

Visit website

Some articles published on the Joomla Community Magazine represent the personal opinion or experience of the Author on the specific topic and might not be aligned to the official position of the Joomla Project

Comments