We take the security of this project seriously. If you believe you have found a security vulnerability, please help us fix it by reporting it responsibly through the proper channels.

We prefer that you use GitHub's Private Vulnerability Reporting feature. This allows for secure, private communication and collaborative fixing.

• Submit a report here: https://github.com/infinity-a11y/KiwiMS/security/advisories/new
• Alternative Email: If you cannot use the link above, please contact us at marian.freisleben@liora-bioinformatics.com

To help us triage and fix the issue quickly, please include:

• Description: A brief summary of the vulnerability.
• Severity: Your assessment of the impact (Low, Medium, High, Critical).
• Steps to Reproduce: A detailed guide, Proof of Concept (PoC) script, or screenshots.
• Impact: What an attacker could achieve if this is exploited.

Once a report is submitted, you can expect the following commitment from our team:

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
2. Triage: We will investigate the report and confirm the vulnerability. We may contact you for further clarification during this stage.
3. Remediation: If the report is valid, we will work on a patch. We aim to have a fix or mitigation strategy ready within 14 days.
4. Disclosure: Once the fix is merged and a new release is published, we will issue a Security Advisory and credit you for the discovery (unless you prefer to remain anonymous).

To protect our users and the integrity of the project, we ask that you follow these ground rules:

• Responsible Disclosure: Do not disclose the vulnerability to the public or any third party until we have released a fix.
• Respect Privacy: Do not attempt to access, modify, or delete data belonging to other users.
• No Destructive Testing: Avoid any testing that could result in a Denial of Service (DoS) or data corruption.
• Stay in Scope: Only report vulnerabilities related to the source code within this repository.

While we do not currently offer a financial "Bug Bounty" program, we value your contribution to the community. Valid reports will be recognized with:

• Public attribution in our Release Notes.
• A permanent "Thank You" in our security contributors list.