Disclose a Vulnerability
You may submit security reports to email@example.com. We ask that you read over the below guidelines before submitting security reports.
In order to safeguard the privacy and security of Tiki installs, we ask that you only perform security testing on machines that you administer.
Your report will be evaluated by the following criteria before it is accepted for fixing:
- The issue must allow a user to modify data without permissions to do so or access data that is considered private.
- Step by step instructions must be provided so that the issue can be reproduced. The Tiki version the issue was found in is also helpful.
- The issue must exist in the Tiki code-base. Security issues inherent in dependencies or third-party software should be submitted upstream.
- Social engineering and content injection (HTML injection) do not qualify as security issues unless they directly lead to an exploit as outlined above. Posting content in Tiki is a core feature and can and should not be avoided.
We ask that you honor responsible disclosure https://en.wikipedia.org/wiki/Responsible_disclosure.
We do not create CVE IDs. However, you are welcome to issue them yourself. If you do create a CVE, we ask that you inform us of the ID.
We disclose to our users when security issues are present in our release notes at http://tiki.org/News, along with in-Tiki security update notifications.
We ask for a 30 day grace period after the security release is announced at http://tiki.org/News before making any security issues public. This allows our users to perform security updates with minimal risk.
All security issues that meet the Submission Guidelines will be fixed by our security team. You also have the option of fixing the issue yourself. See https://dev.tiki.org/How-to-get-commit-access for instructions on how to commit to our code-base. Please note that commit messages are public, so in order to avoid premature disclosure, we ask that you keep the message vague and report the commit ID to firstname.lastname@example.org.
After the issue has been fixed, but not released, we will send you the commit ID's so that you have an opportunity to evaluate the fix.
Security issues can sometimes be complex to solve and may take time to patch and test. Please know that Tiki is an open source project and is entirely run by volunteers. Expect between 1 and 6 months before the issue has been fixed and released, depending on the complexity and severity.
We are always grateful for security reports and thank you in advance for your assistance in keeping Tiki safe.
All security reports that meet the above guidelines will be credited on http://tiki.org/News. Your name, organization and a link may be included in this acknowledgment.
Please note that Tiki is unable to offer any monetary compensation for the disclosure of security issues. It is the nature of our open-source project that all contributions are offered freely.