Skip to content

Security: kiwitcms/stands-website

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
latest ✔️

Supported resources

IMPORTANT: if you are performing a security scan on behalf of a third party please install a self-hosted instance of the kiwitcms/Kiwi container before probbing any of our digital properties!

Reporting a Vulnerability

In case you have found a security problem with any of the resources mentioned above DO NOT report it into GitHub Issues!

Email the Kiwi TCMS team directly at [email protected] to coordinate the fix and discloser of the issue.

Alternatively you can go to https://tidelift.com/security and follow the instructions there. Kiwi TCMS is a registered partner of Tidelift and will be notified when you report the security problem with them!

Security process

Here are the steps we follow:

  1. The person discovering an issue (the reporter) privately reports it to [email protected].
  2. The Kiwi TCMS team will reply to the reporter within 24 hours to acknowledge receipt.
  3. The Kiwi TCMS team will start investigating the report.
  4. The Kiwi TCMS team & reporter will keep the report confidential. This means avoiding public GitHub issues or commits.
  5. Once a report has been investigated, the Kiwi TCMS team will notify the reporter whether the report has been accepted or rejected, with an explanation.
  6. If a report is rejected, there is nothing else to do. If accepted, the process continues.
  7. The Kiwi TCMS team will notify GitHub within 24 hours of a confirmed report. Note: per our GitHub Marketplace agreement!
  8. The Kiwi TCMS team will prepare a fix and an accompanying announcement.
  9. The Kiwi TCMS team will share the fix and draft announcement with the reporter.
  10. Kiwi TCMS and the reporter will negotiate the fix, announcement, and release schedule.
  11. With an announcement plan in place, we'll commit the fix and publish fixed release(s). The commits and releases will be made as close to the announcement as possible, and will not mention that they address a security vulnerability.
  12. Release announcements for the new version(s) will go out as normal.

Rewards

Kiwi TCMS currently does not offer rewards for disclosing security vulnerabilities.

There aren’t any published security advisories