# Security Policy

Thank you for helping improve the security of MediaCMS.
We take security vulnerabilities seriously and appreciate responsible disclosure.

---

## Reporting a Vulnerability

If you discover a security vulnerability in MediaCMS, **please do not open a public GitHub issue**.

Instead, report it using one of the following methods:

- **GitHub Security Advisories (preferred)**  
  Use the "Report a vulnerability" feature in this repository.

- **Contact Form**  
  Submit details via the official contact page:  
  https://mediacms.io/contact/

Please include as much of the following information as possible:
- Affected version(s)
- Detailed description of the issue
- Steps to reproduce (PoC if available)
- Impact assessment (e.g. RCE, XSS, privilege escalation)
- Any potential mitigations you are aware of

---

## Supported Versions

Security updates are provided for the **latest stable release** of MediaCMS.
Older versions may not receive security patches.

---

## Disclosure Policy

- We aim to acknowledge reports within **7 days**
- We aim to provide a fix or mitigation within **90 days**, depending on severity
- Please allow us time to investigate before any public disclosure

We follow responsible disclosure practices and will coordinate disclosure timelines when appropriate.

---

## Recognition

At this time, MediaCMS does not operate a formal bug bounty program.
However, we are happy to acknowledge valid security reports in release notes or advisories (with your permission).

---

Thank you for helping keep MediaCMS secure.