• All repositories published under https://github.com/kiwitcms/
• Our GitHub Marketplace integration at https://github.com/marketplace/kiwi-tcms/
• Our GitHub integration App accessible at https://github.com/apps/kiwi-tcms
• Public Demo SaaS at https://public.tenant.kiwitcms.org

IMPORTANT: if you are performing a security scan on behalf of a third party please install a self-hosted instance of the kiwitcms/Kiwi container before probbing any of our digital properties!

In case you have found a security problem with any of the resources mentioned above DO NOT report it into GitHub Issues!

Email the Kiwi TCMS team directly at info@kiwitcms.org to coordinate the fix and discloser of the issue.

Alternatively you can go to https://tidelift.com/security and follow the instructions there. Kiwi TCMS is a registered partner of Tidelift and will be notified when you report the security problem with them!

Here are the steps we follow:

1. The person discovering an issue (the reporter) privately reports it to info@kiwitcms.org.
2. The Kiwi TCMS team will reply to the reporter within 24 hours to acknowledge receipt.
3. The Kiwi TCMS team will start investigating the report.
4. The Kiwi TCMS team & reporter will keep the report confidential. This means avoiding public GitHub issues or commits.
5. Once a report has been investigated, the Kiwi TCMS team will notify the reporter whether the report has been accepted or rejected, with an explanation.
6. If a report is rejected, there is nothing else to do. If accepted, the process continues.
7. The Kiwi TCMS team will notify GitHub within 24 hours of a confirmed report. Note: per our GitHub Marketplace agreement!
8. The Kiwi TCMS team will prepare a fix and an accompanying announcement.
9. The Kiwi TCMS team will share the fix and draft announcement with the reporter.
10. Kiwi TCMS and the reporter will negotiate the fix, announcement, and release schedule.
11. With an announcement plan in place, we'll commit the fix and publish fixed release(s). The commits and releases will be made as close to the announcement as possible, and will not mention that they address a security vulnerability.
12. Release announcements for the new version(s) will go out as normal.