Security Guide

Under Incident Handling->TYPO3 Extensions, there is a bulletpoint list of things that can happen when a flaw is discovered in an extension. The list starts with the least feasible possibility, and goes on to the best case scenario. This leaves a negative impression in the mind of the reader. I can imagine that it might be possible that in most cases, developers fail to respond. Still, I think that the order should be reversed to start with the most positive case: "the developer responds and delivers a fix".

Under General Information->Difference between core and extensions: "Since everybody can submit extensions to the TER, the code quality varies greatly. Some extensions show a very high level of code quality, while others have been written by amateurs. Most of the known security issues in TYPO3 have been found in these extensions, which are not part of the core system. Therefore, this does not imply that TYPO3 is insecure in general. It is possible, that none of these issues are related to TYPO3 itself but have been found in extensions."

I think the bold sentences put too much emphasis on vulnability of extensions. It is probably true that there are more vulnerabilities found in extensions than in the core, and I agree that the reader should be made aware of that fact. But even without the bold part, this message is conveyed. In my opinion the bold part is too defensive and sounds a bit like "hey, dont look at us, it's those amateur extension writers who are the bad guys!"